BigW Consortium Gitlab

Commit ab1f3b47 by Douwe Maan Committed by Lin Jen-Shin

Merge branch '32059-fix-oauth-phishing' into 'security-10-1'

Prevent OAuth phishing attack by presenting detailed wording about app to user during authorization See merge request gitlab/gitlabhq!2205
parent 304ceb14
......@@ -249,3 +249,22 @@
.doorkeeper-app-form {
.scope-description {
color: $theme-gray-700;
.modal-doorkeepr-auth {
.modal-body {
padding: $gl-padding;
.doorkeeper-app-form {
.scope-description {
margin: 0 0 5px 17px;
= form_for application, url: doorkeeper_submit_path(application), html: {role: 'form'} do |f|
= form_for application, url: doorkeeper_submit_path(application), html: { role: 'form', class: 'doorkeeper-app-form' } do |f|
= form_errors(application)
- auth_app_owner = @pre_auth.client.application.owner
%main{ :role => "main" }
......@@ -16,14 +18,21 @@
will allow them to interact with GitLab as an admin as well. Proceed with caution.
You are about to authorize
An application called
= link_to, @pre_auth.redirect_uri, target: '_blank', rel: 'noopener noreferrer'
to use your account.
is requesting access to your GitLab account. This application was created by
= succeed "." do
= link_to, user_path(auth_app_owner)
Please note that this application is not provided by GitLab and you should verify its authenticity before
allowing access.
- if @pre_auth.scopes
This application will be able to:
- @pre_auth.scopes.each do |scope|
%li= t scope, scope: [:doorkeeper, :scopes]
%strong= t scope, scope: [:doorkeeper, :scopes]
.scope-description= t scope, scope: [:doorkeeper, :scope_desc]
= form_tag oauth_authorization_path, method: :delete, class: 'inline' do
= hidden_field_tag :client_id, @pre_auth.client.uid
......@@ -7,3 +7,4 @@
= check_box_tag "#{prefix}[scopes][]", scope, token.scopes.include?(scope), id: "#{prefix}_scopes_#{scope}"
= label_tag ("#{prefix}_scopes_#{scope}"), scope
%span= t(scope, scope: [:doorkeeper, :scopes])
.scope-description= t scope, scope: [:doorkeeper, :scope_desc]
......@@ -62,7 +62,15 @@ en:
read_user: Read the authenticated user's personal information
openid: Authenticate using OpenID Connect
sudo: Perform API actions as any user in the system (if the authenticated user is an admin)
Full access to GitLab as the user, including read/write on all their groups and projects
Read-only access to the user's profile information, like username, public email and full name
The ability to authenticate using GitLab, and read-only access to the user's profile information
Access to the Sudo feature, to perform API actions as any user in the system (only available for admins)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment