Alias GitHub and BitBucket OAuth2 callback URLs

To prevent an OAuth2 covert redirect vulnerability, this commit adds and
uses an alias for the GitHub and BitBucket OAuth2 callback URLs to the
following paths:

GitHub: /users/auth/-/import/github
Bitbucket: /users/auth/-/import/bitbucket

This allows admins to put a more restrictive callback URL in the OAuth2
configuration settings. Instead of https://example.com, admins can now use:

https://example.com/users/auth

It's possible but not trivial to change Devise and OmniAuth to use a
different prefix for callback URLs instead of /users/auth. For now,
aliasing the import URLs under the /users/auth namespace should suffice.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56663

1 files changed, 5 insertions, 1 deletions

diff --git a/doc/integration/bitbucket.md b/doc/integration/bitbucket.md
index a69db1d1a6e..68ec8c4b5c2 100644
--- a/doc/integration/bitbucket.md
+++ b/doc/integration/bitbucket.md
@@ -43,9 +43,13 @@ you to use.
     | :--- | :---------- |
     | **Name** | This can be anything. Consider something like `<Organization>'s GitLab` or `<Your Name>'s GitLab` or something else descriptive. |
     | **Application description** | Fill this in if you wish. |
-    | **Callback URL** | The URL to your GitLab installation, e.g., `https://gitlab.example.com`. |
+    | **Callback URL** | The URL to your GitLab installation, e.g., `https://gitlab.example.com/users/auth`. |
     | **URL** | The URL to your GitLab installation, e.g., `https://gitlab.example.com`. |
 
+    NOTE: Be sure to append `/users/auth` to the end of the callback URL
+    to prevent a [OAuth2 convert
+    redirect](http://tetraph.com/covert_redirect/) vulnerability.
+
     NOTE: Starting in GitLab 8.15, you MUST specify a callback URL, or you will
     see an "Invalid redirect_uri" message. For more details, see [the
     Bitbucket documentation](https://confluence.atlassian.com/bitbucket/oauth-faq-338365710.html).