• Tiger's avatar
    Validate session key when authorizing with GCP to create a cluster · e8ec0410
    Tiger authored
    It was previously possible to link a GCP account to another
    user's GitLab account by having them visit the callback URL,
    as there was no check that they were the initiator of the
    request.
    
    We now reject the callback unless the state parameter
    matches the one added to the initiating user's session.
    e8ec0410
security-kubernetes-google-login-csrf.yml 116 Bytes