kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity
gitlab-org--gitlab-foss/config/routes
History
Stan Hu 88f2e9615c
Alias GitHub and BitBucket OAuth2 callback URLs 
To prevent an OAuth2 covert redirect vulnerability, this commit adds and
uses an alias for the GitHub and BitBucket OAuth2 callback URLs to the
following paths:

GitHub: /users/auth/-/import/github
Bitbucket: /users/auth/-/import/bitbucket

This allows admins to put a more restrictive callback URL in the OAuth2
configuration settings. Instead of https://example.com, admins can now use:

https://example.com/users/auth

It's possible but not trivial to change Devise and OmniAuth to use a
different prefix for callback URLs instead of /users/auth. For now,
aliasing the import URLs under the /users/auth namespace should suffice.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56663
2019-01-31 16:52:48 +01:00
..
admin.rb Put EE routes in EE files under EE directories 2018-10-26 14:27:05 +08:00
api.rb Pass on arguments passed to the FeatureConstrainer 2018-12-14 14:35:05 +01:00
ci.rb
dashboard.rb
development.rb
explore.rb
git_http.rb
google_api.rb
group.rb Extend clusters_controller for group type clusters 2018-11-08 23:14:06 +13:00
help.rb
import.rb Alias GitHub and BitBucket OAuth2 callback URLs 2019-01-31 16:52:48 +01:00
instance_statistics.rb Fix leading slash in redirects and add cop 2018-09-21 14:10:20 +00:00
legacy_builds.rb
profile.rb
project.rb Add ability to resolve project id into path 2019-01-22 09:59:10 +02:00
repository.rb Enable the Layout/ExtraSpacing cop 2019-01-24 13:05:45 +01:00
sherlock.rb
sidekiq.rb
snippets.rb
uploads.rb Use system paths for appearance logos 2018-12-25 08:22:34 -08:00
user.rb Resolve "Add new "Overview" tab on user profile page" 2018-10-04 07:55:37 +00:00
wiki.rb Revert "Resolve "[Rails5] ActionView::MissingTemplate in spec/features/projects/wiki/user_views_wiki_page_spec.rb"" 2018-12-03 12:28:51 +01:00