• Stan Hu's avatar
    Alias GitHub and BitBucket OAuth2 callback URLs · 88f2e961
    Stan Hu authored
    To prevent an OAuth2 covert redirect vulnerability, this commit adds and
    uses an alias for the GitHub and BitBucket OAuth2 callback URLs to the
    following paths:
    
    GitHub: /users/auth/-/import/github
    Bitbucket: /users/auth/-/import/bitbucket
    
    This allows admins to put a more restrictive callback URL in the OAuth2
    configuration settings. Instead of https://example.com, admins can now use:
    
    https://example.com/users/auth
    
    It's possible but not trivial to change Devise and OmniAuth to use a
    different prefix for callback URLs instead of /users/auth. For now,
    aliasing the import URLs under the /users/auth namespace should suffice.
    
    Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56663
    88f2e961
sh-fix-import-redirect-vulnerability.yml 97 Bytes