kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity
gitlab-org--gitlab-foss/spec/controllers
History
Stan Hu 88f2e9615c
Alias GitHub and BitBucket OAuth2 callback URLs 
To prevent an OAuth2 covert redirect vulnerability, this commit adds and
uses an alias for the GitHub and BitBucket OAuth2 callback URLs to the
following paths:

GitHub: /users/auth/-/import/github
Bitbucket: /users/auth/-/import/bitbucket

This allows admins to put a more restrictive callback URL in the OAuth2
configuration settings. Instead of https://example.com, admins can now use:

https://example.com/users/auth

It's possible but not trivial to change Devise and OmniAuth to use a
different prefix for callback URLs instead of /users/auth. For now,
aliasing the import URLs under the /users/auth namespace should suffice.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56663
2019-01-31 16:52:48 +01:00
..
admin Fix requests profiler in admin page not rendering HTML properly 2019-01-09 23:09:43 -08:00
boards Enable the Layout/ExtraSpacing cop 2019-01-24 13:05:45 +01:00
concerns Save sorting preference for Issues/MRs in BE 2019-01-28 12:48:05 -06:00
dashboard Adds milestone search 2019-01-24 18:44:09 +01:00
explore Update specs to rails5 format 2018-12-19 10:04:31 +11:00
google_api Update specs to rails5 format 2018-12-19 10:04:31 +11:00
groups Merge branch '54905-milestone-search' into 'master' 2019-01-25 13:22:34 +00:00
import Alias GitHub and BitBucket OAuth2 callback URLs 2019-01-31 16:52:48 +01:00
instance_statistics Resolve "Remove usage ping payload from Cohorts, add to Settings" 2018-09-06 12:43:14 +00:00
ldap Update specs to rails5 format 2018-12-19 10:04:31 +11:00
oauth Update specs to rails5 format 2018-12-19 10:04:31 +11:00
profiles Enable the Layout/ExtraSpacing cop 2019-01-24 13:05:45 +01:00
projects Use common error for unauthenticated users 2019-01-31 16:51:17 +01:00
snippets Update specs to rails5 format 2018-12-19 10:04:31 +11:00
users Update specs to rails5 format 2018-12-19 10:04:31 +11:00
abuse_reports_controller_spec.rb Update specs to rails5 format 2018-12-19 10:04:31 +11:00
application_controller_spec.rb Enable the Layout/ExtraSpacing cop 2019-01-24 13:05:45 +01:00
autocomplete_controller_spec.rb Update specs to rails5 format 2018-12-19 10:04:31 +11:00
dashboard_controller_spec.rb Merge branch 'security-fix-pat-web-access' into 'master' 2018-11-28 19:13:59 -05:00
graphql_controller_spec.rb Update specs to rails5 format 2018-12-19 10:04:31 +11:00
groups_controller_spec.rb Update specs to rails5 format 2018-12-19 10:04:31 +11:00
health_check_controller_spec.rb Update specs to rails5 format 2018-12-19 10:04:31 +11:00
health_controller_spec.rb Update specs to rails5 format 2018-12-19 10:04:31 +11:00
help_controller_spec.rb Update specs to rails5 format 2018-12-19 10:04:31 +11:00
invites_controller_spec.rb Update specs to rails5 format 2018-12-19 10:04:31 +11:00
metrics_controller_spec.rb Remove healthchecks from prometheus endpoint 2018-07-12 17:37:51 +00:00
notification_settings_controller_spec.rb Update specs to rails5 format 2018-12-19 10:04:31 +11:00
omniauth_callbacks_controller_spec.rb Update gitlab-styles to 2.5.1 2019-01-11 23:59:35 +01:00
passwords_controller_spec.rb Update specs to rails5 format 2018-12-19 10:04:31 +11:00
profiles_controller_spec.rb Update specs to rails5 format 2018-12-19 10:04:31 +11:00
projects_controller_spec.rb Enable the Layout/ExtraSpacing cop 2019-01-24 13:05:45 +01:00
registrations_controller_spec.rb Update specs to rails5 format 2018-12-19 10:04:31 +11:00
root_controller_spec.rb Fix tests 2018-11-13 15:27:42 +08:00
search_controller_spec.rb Enable the Layout/ExtraSpacing cop 2019-01-24 13:05:45 +01:00
sent_notifications_controller_spec.rb Update specs to rails5 format 2018-12-19 10:04:31 +11:00
sessions_controller_spec.rb Update specs to rails5 format 2018-12-19 10:04:31 +11:00
snippets_controller_spec.rb Fix deprecation: Using positional arguments in integration tests 2019-01-02 22:33:28 +01:00
uploads_controller_spec.rb Enable the Layout/ExtraSpacing cop 2019-01-24 13:05:45 +01:00
user_callouts_controller_spec.rb Update specs to rails5 format 2018-12-19 10:04:31 +11:00
users_controller_spec.rb Fix contributed projects finder shown private info 2019-01-31 16:51:16 +01:00