Add state parameter on bitbucket import project oauth (!83598) · Merge requests · GitLab.org / GitLab

Illya Klymov requested to merge 350336-confidential-issue into master Mar 24, 2022

What does this MR do and why?

This MR introduces state param for bitbucket oauth and verification that same state is passed back to avoid attacker passing link and linking attacker account to victim

Screenshots or screen recordings

https://watch.screencastify.com/v/4pSCPGk2SfNvDwuG5n5B

How to set up and validate locally

Set up your GDK with bitbucket integration following our guidelines (omniauth configuration lives in config/gitlab.yml under development section
Go to /projects/new#import_project, click "Bitbucket"
Observe state parameter in bitbucket auth process
Ensure that bitbucket auth was succesfull
Logout (this is required to clear session)
Go to /projects/new#import_project, click "Bitbucket"
Hijack link used for auth (easiest way is by putting your browser to offline mode and modify URL in the browser)
Observe that auth fails and you're redirected again to bitbucket auth

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Mar 24, 2022 by Illya Klymov

Add state parameter on bitbucket import project oauth

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports