Validate session key when authorizing with GCP to create a cluster

It was previously possible to link a GCP account to another user's GitLab account by having them visit the callback URL, as there was no check that they were the initiator of the request. We now reject the callback unless the state parameter matches the one added to the initiating user's session.
author: Tiger <twatson@gitlab.com> 2019-02-13 11:11:28 +1100
committer: Tiger <twatson@gitlab.com> 2019-02-19 17:22:50 +1100
commit: 1461913399038aefd786dc807ee5e3361639a565 (patch)
tree: fb0991ae6d11ce7c3837ce1b84712db94466420b /changelogs
parent: c5b5b18b3f1c5b683ceb4471e667d675de9200eb (diff)
download: gitlab-ce-1461913399038aefd786dc807ee5e3361639a565.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/changelogs/unreleased/security-kubernetes-google-login-csrf.yml b/changelogs/unreleased/security-kubernetes-google-login-csrf.yml
new file mode 100644
index 00000000000..2f87100a8dd
--- /dev/null
+++ b/changelogs/unreleased/security-kubernetes-google-login-csrf.yml
@@ -0,0 +1,5 @@
+---
+title: Validate session key when authorizing with GCP to create a cluster
+merge_request:
+author:
+type: security
author	Tiger <twatson@gitlab.com>	2019-02-13 11:11:28 +1100
committer	Tiger <twatson@gitlab.com>	2019-02-19 17:22:50 +1100
commit	1461913399038aefd786dc807ee5e3361639a565 (patch)
tree	fb0991ae6d11ce7c3837ce1b84712db94466420b /changelogs
parent	c5b5b18b3f1c5b683ceb4471e667d675de9200eb (diff)
download	gitlab-ce-1461913399038aefd786dc807ee5e3361639a565.tar.gz