HackerOne report: Markdown link filter improperly parses hostname, vulnerable to tabnabbing
We received a HackerOne report that the markdown link filter in GitLab does not properly parse the user@host field of a URL. This allows an attacker to have an external link tagged as internal, which prevents anchor tags such as target=_blank from being removed. An attacker including target=_blank can then use tabnabbing attacks to inject data into the calling web page.
The full report is below:
Summary
Gitlab.com is vulnerable to reverse tabnabbing in issues, comments, etc. This is the same type of issue as https://hackerone.com/reports/211065, but far worse since in the previous report only a user with developer access to a project could view the "Environments" tab. In this case, the issue affects anywhere where HTML can be added.
Why does this vulnerability exist?
By creating a link with https://gitlab.com@example.com the parser ignores it and does not add the usual rel="nofollow noreferrer" which is located on all other links. I discovered this, because I noticed that internal links are treated differently than external links. So in the example above the victim ends up on example.com, which is where the same scenario as https://hackerone.com/reports/211065 can be performed.
In order to demonstrate this issue the following payload can be used:
Where does the issue lie?
The issue appears to lie in the following lines of code:
def external_url?(url) !url.start_with?(internal_url) end