Make covert redirect warning more visible

4a911b48 · Dominic Couture · Mike Jang · 71cef819 · 4a911b48 · 4a911b48
Commit 4a911b48 authored Feb 24, 2021 by Dominic Couture Committed by Mike Jang Feb 24, 2021
Show whitespace changes
Inline Side-by-side

Showing with 16 additions and 6 deletions

doc/integration/bitbucket.md doc/integration/bitbucket.md +6 -3

doc/integration/github.md doc/integration/github.md +10 -3

No files found.
--- a/doc/integration/bitbucket.md
+++ b/doc/integration/bitbucket.md
@@ -26,6 +26,11 @@ To enable the Bitbucket OmniAuth provider you must register your application
 with Bitbucket.org. Bitbucket generates an application ID and secret key for
 you to use.

+WARNING:
+To help prevent an [OAuth 2 covert redirect](https://oauth.net/advisories/2014-1-covert-redirect/)
+vulnerability in which users' GitLab accounts could be compromised, append `/users/auth`
+to the end of the Bitbucket authorization callback URL.
+
 1. Sign in to [Bitbucket.org](https://bitbucket.org).
 1. Navigate to your individual user settings (**Bitbucket settings**) or a team's
   settings (**Manage team**), depending on how you want the application registered.
@@ -40,9 +45,7 @@ you to use.
   - **Application description:** *(Optional)* Fill this in if you wish.
   - **Callback URL:** (Required in GitLab versions 8.15 and greater)
     The URL to your GitLab installation, such as
-     `https://gitlab.example.com/users/auth`. Be sure to append `/users/auth` to
-     the end of the callback URL to prevent an
-     [OAuth2 convert redirect](http://tetraph.com/covert_redirect/) vulnerability.
+     `https://gitlab.example.com/users/auth`.
     Leaving this field empty
     [results in an `Invalid redirect_uri` message](https://confluence.atlassian.com/bitbucket/oauth-faq-338365710.html).
   - **URL:** The URL to your GitLab installation, such as `https://gitlab.example.com`.

--- a/doc/integration/github.md
+++ b/doc/integration/github.md
@@ -10,6 +10,16 @@ You can integrate your GitLab instance with GitHub.com and GitHub Enterprise. Th
 enables users to import projects from GitHub, or sign in to your GitLab instance
 with their GitHub account.

+## Security check
+
+Some integrations risk compromising GitLab accounts. To help mitigate this
+[OAuth 2 covert redirect](https://oauth.net/advisories/2014-1-covert-redirect/)
+vulnerability, append `/users/auth` to the end of the authorization callback URL.
+
+However, as far as we know, GitHub does not validate the subdomain part of the `redirect_uri`.
+This means that a subdomain takeover, an XSS, or an open redirect on any subdomain of
+your website could enable the covert redirect attack.
+
 ## Enabling GitHub OAuth

 To enable the GitHub OmniAuth provider, you need an OAuth 2 Client ID and Client Secret from GitHub. To get these credentials, sign into GitHub and follow their procedure for [Creating an OAuth App](https://docs.github.com/en/developers/apps/creating-an-oauth-app).
@@ -19,9 +29,6 @@ When you create an OAuth 2 app in GitHub, you need the following information:
 - The URL of your GitLab instance, such as `https://gitlab.example.com`.
 - The authorization callback URL; in this case, `https://gitlab.example.com/users/auth`. Include the port number if your GitLab instance uses a non-default port.

-NOTE:
-To prevent an [OAuth2 covert redirect](https://oauth.net/advisories/2014-1-covert-redirect/) vulnerability, append `/users/auth` to the end of the GitHub authorization callback URL.
-
 See [Initial OmniAuth Configuration](omniauth.md#initial-omniauth-configuration) for initial settings.

 After you have configured the GitHub provider, you need the following information. You must substitute that information in the GitLab configuration file in these next steps.