• Stan Hu's avatar
    Alias GitHub and BitBucket OAuth2 callback URLs · 88f2e961
    Stan Hu authored
    To prevent an OAuth2 covert redirect vulnerability, this commit adds and
    uses an alias for the GitHub and BitBucket OAuth2 callback URLs to the
    following paths:
    
    GitHub: /users/auth/-/import/github
    Bitbucket: /users/auth/-/import/bitbucket
    
    This allows admins to put a more restrictive callback URL in the OAuth2
    configuration settings. Instead of https://example.com, admins can now use:
    
    https://example.com/users/auth
    
    It's possible but not trivial to change Devise and OmniAuth to use a
    different prefix for callback URLs instead of /users/auth. For now,
    aliasing the import URLs under the /users/auth namespace should suffice.
    
    Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56663
    88f2e961
Name
Last commit
Last update
..
environments Loading commit data...
initializers Loading commit data...
locales Loading commit data...
prometheus Loading commit data...
routes Loading commit data...
README.md Loading commit data...
application.rb Loading commit data...
boot.rb Loading commit data...
database.yml.env Loading commit data...
database.yml.mysql Loading commit data...
database.yml.postgresql Loading commit data...
dependency_decisions.yml Loading commit data...
environment.rb Loading commit data...
gitlab.yml.example Loading commit data...
jsdocs.config.js Loading commit data...
karma.config.js Loading commit data...
license_finder.yml Loading commit data...
mail_room.yml Loading commit data...
no_todos_messages.yml Loading commit data...
object_store_settings.rb Loading commit data...
puma.example.development.rb Loading commit data...
redis.cache.yml.example Loading commit data...
redis.queues.yml.example Loading commit data...
redis.shared_state.yml.example Loading commit data...
resque.yml.example Loading commit data...
routes.rb Loading commit data...
secrets.yml.example Loading commit data...
settings.rb Loading commit data...
sidekiq.yml.example Loading commit data...
sidekiq_queues.yml Loading commit data...
spring.rb Loading commit data...
unicorn.rb.example Loading commit data...
unicorn.rb.example.development Loading commit data...
webpack.config.js Loading commit data...