diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-02-25 03:11:24 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-02-25 03:11:24 +0300 |
commit | cffcf0772c5354d0d55fd4e32f724108a9582f15 (patch) | |
tree | ac827ac27f31b41f9e05d4ffe757be9f54aa6578 /doc/integration/github.md | |
parent | 1631d8a2e0eef291f1d0b9486ee35ed6b52a176a (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/integration/github.md')
-rw-r--r-- | doc/integration/github.md | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/doc/integration/github.md b/doc/integration/github.md index 4258b1c3c76..4d8adfe42f1 100644 --- a/doc/integration/github.md +++ b/doc/integration/github.md @@ -10,6 +10,16 @@ You can integrate your GitLab instance with GitHub.com and GitHub Enterprise. Th enables users to import projects from GitHub, or sign in to your GitLab instance with their GitHub account. +## Security check + +Some integrations risk compromising GitLab accounts. To help mitigate this +[OAuth 2 covert redirect](https://oauth.net/advisories/2014-1-covert-redirect/) +vulnerability, append `/users/auth` to the end of the authorization callback URL. + +However, as far as we know, GitHub does not validate the subdomain part of the `redirect_uri`. +This means that a subdomain takeover, an XSS, or an open redirect on any subdomain of +your website could enable the covert redirect attack. + ## Enabling GitHub OAuth To enable the GitHub OmniAuth provider, you need an OAuth 2 Client ID and Client Secret from GitHub. To get these credentials, sign into GitHub and follow their procedure for [Creating an OAuth App](https://docs.github.com/en/developers/apps/creating-an-oauth-app). @@ -19,9 +29,6 @@ When you create an OAuth 2 app in GitHub, you need the following information: - The URL of your GitLab instance, such as `https://gitlab.example.com`. - The authorization callback URL; in this case, `https://gitlab.example.com/users/auth`. Include the port number if your GitLab instance uses a non-default port. -NOTE: -To prevent an [OAuth2 covert redirect](https://oauth.net/advisories/2014-1-covert-redirect/) vulnerability, append `/users/auth` to the end of the GitHub authorization callback URL. - See [Initial OmniAuth Configuration](omniauth.md#initial-omniauth-configuration) for initial settings. After you have configured the GitHub provider, you need the following information. You must substitute that information in the GitLab configuration file in these next steps. |