• Stan Hu's avatar
    Alias GitHub and BitBucket OAuth2 callback URLs · 6d57b2fd
    Stan Hu authored
    To prevent an OAuth2 covert redirect vulnerability, this commit adds and
    uses an alias for the GitHub and BitBucket OAuth2 callback URLs to the
    following paths:
    
    GitHub: /users/auth/-/import/github
    Bitbucket: /users/auth/-/import/bitbucket
    
    This allows admins to put a more restrictive callback URL in the OAuth2
    configuration settings. Instead of https://example.com, admins can now use:
    
    https://example.com/users/auth
    
    It's possible but not trivial to change Devise and OmniAuth to use a
    different prefix for callback URLs instead of /users/auth. For now,
    aliasing the import URLs under the /users/auth namespace should suffice.
    
    Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56663
    6d57b2fd
Name
Last commit
Last update
.github Loading commit data...
.gitlab Loading commit data...
app Loading commit data...
bin Loading commit data...
builds Loading commit data...
changelogs Loading commit data...
config Loading commit data...
danger Loading commit data...
db Loading commit data...
doc Loading commit data...
docker Loading commit data...
fixtures/emojis Loading commit data...
generator_templates Loading commit data...
lib Loading commit data...
locale Loading commit data...
log Loading commit data...
plugins/examples Loading commit data...
public Loading commit data...
qa Loading commit data...
rubocop Loading commit data...
scripts Loading commit data...
shared Loading commit data...
spec Loading commit data...
symbol Loading commit data...
tmp Loading commit data...
vendor Loading commit data...
.babelrc.js Loading commit data...
.codeclimate.yml Loading commit data...
.csscomb.json Loading commit data...
.eslintignore Loading commit data...
.eslintrc.yml Loading commit data...
.foreman Loading commit data...
.gitattributes Loading commit data...
.gitignore Loading commit data...
.gitlab-ci.yml Loading commit data...
.haml-lint.yml Loading commit data...
.mailmap Loading commit data...
.nvmrc Loading commit data...
.pkgr.yml Loading commit data...
.prettierignore Loading commit data...
.prettierrc Loading commit data...
.rubocop.yml Loading commit data...
.rubocop_todo.yml Loading commit data...
.ruby-version Loading commit data...
.scss-lint.yml Loading commit data...
CHANGELOG.md Loading commit data...
CONTRIBUTING.md Loading commit data...
Dangerfile Loading commit data...
Dockerfile.assets Loading commit data...
GITALY_SERVER_VERSION Loading commit data...
GITLAB_PAGES_VERSION Loading commit data...
GITLAB_SHELL_VERSION Loading commit data...
GITLAB_WORKHORSE_VERSION Loading commit data...
Gemfile Loading commit data...
Gemfile.lock Loading commit data...
INSTALLATION_TYPE Loading commit data...
LICENSE Loading commit data...
MAINTENANCE.md Loading commit data...
PHILOSOPHY.md Loading commit data...
PROCESS.md Loading commit data...
Procfile Loading commit data...
README.md Loading commit data...
Rakefile Loading commit data...
VERSION Loading commit data...
config.ru Loading commit data...
docker-compose.yml Loading commit data...
jest.config.js Loading commit data...
package.json Loading commit data...
yarn.lock Loading commit data...