Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab FOSS GitLab FOSS
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 23
    • Issues 23
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 0
    • Merge requests 0
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLab FOSSGitLab FOSS
  • Issues
  • #29365
Closed
Open
Issue created Mar 11, 2017 by Brian Neel@briannContributor

HackerOne reports: GitLab vulnerable to IDN homograph attacks and RTLO attacks

Security Issue: https://dev.gitlab.org/gitlab/gitlabhq/issues/2769


These reports are effectively saying GitLab allows unicode characters in URLs that can appear identical to normal ASCII characters. Users can be fooled into clicking on external links.

I'm torn on this, as the usual solution is to render all links in Punycode which might not be acceptable for users in countries that make use of these characters. Most browsers implement some protections for these attacks already, as details in the wikipedia link.

HackerOne links: https://hackerone.com/reports/210895 https://hackerone.com/reports/210896 The raw reports are listed below:

IDN Homograph

Dear GitLab bug bounty team,

Short Description

Gitlab.com is vulnerable to IDN homograph attacks.

What are the exploits?

IDN homograph attacks exist whenever IDNs are displayed in Unicode and not encoded into Punycode.

The following example appears to link to http://gitlab.com, but it actually links to https://xn--itlab-qmc.com:

idn-homograph-attack-gitlab

Here is the actual URL in the source code:

idn-homograph-attack-source-code-gitlab

What are the steps you took?

I opened an issue on a private repository of mine and pasted the following in the Description field:

The website is located at: https://ɡitlab.com

###How can this be fixed?

All that you must do is display the Punycode version of the URL.

More information on IDN Homograph attacks: https://en.wikipedia.org/wiki/IDN_homograph_attack (Don't worry this is a real url.)

RTLO

Dear GitLab bug bounty team,

Short Description

Gitlab.com allows RTLO characters in links, exposing your users to possible phishing attacks.

Why does this vulnerability exist?

The right to left override (RTLO or RLO) character is used for languages that are written from right to left.

The following example appears to link to https://ed.io/aboutexe.mp3, but it actually links to https://ed.io/about%E2%80%AE3pm.exe:

rtlo-gitlab

Here is the actual URL in the source code:

rtlo-source-code-gitlab

What are the steps you took?

I opened an issue on a private repository of mine and pasted the following in the Description field:

The website is located at: https://ed.io/about‮3pm.exe

How can this be fixed?

Make sure to filter the RTLO character. For instance, this is how HackerOne handles RTLO characters:

The website is located at: https://ed.io/about‮3pm.exe

Edited Jan 09, 2019 by Brett Walker
Assignee
Assign to
Time tracking