Verify state before using errors received from provider

[toupeira]

Summary

This avoids content spoofing attacks by crafting a URL with malicious messages, because the state param is only present in the session after a valid OAuth2 authentication flow.

Background

This vulnerability was reported to GitLab in https://gitlab.com/gitlab-org/gitlab/-/issues/27241 and patched for the 14.3.1 security release in https://gitlab.com/gitlab-org/gitlab/-/commit/79457dafe55. We haven't encountered any problems with this change in our testing and usage.

An example URL to exploit this is https://gitlab.com/users/auth/bitbucket/callback?state=cae8687aa809fc45e00b2f8ed4a0ea124d5f9b8235cb2b2e&error_description=YOUR+ACCOUNT+WAS+LOCKED,PLEASE+GO+TO+https://evil.com+FOR+UNLOCKING+YOUR+ACCOUNT&error=access_denied, previously this would render the attacker's URL in the flash message (which IIRC is the default behaviour when using OmniAuth with Devise), but after this change we'll get the CSRF error instead.

The vulnerability is pretty minor overall, but the fix is also simple so I think this would be worth upstreaming 😀

[BobbyMcWho]

Thanks for the PR Markus, I appreciate the upstream fix. As soon as I have a moment, I will review the PR.

[coveralls]

Pull Request Test Coverage Report for Build 1413410154

• 3 of 3 (100.0%) changed or added relevant lines in 1 file are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+2.2%) to 84.615%

---

Totals
Change from base Build 500123692:	2.2%
Covered Lines:	77
Relevant Lines:	91

---

💛 - Coveralls

[toupeira]

@BobbyMcWho thanks for the quick review! ❤️