HackerOne reported issue: Open redirects

We received a HackerOne report that the "Todos" page contains an open redirect. Details are below:

POC:

$GITLAB_INSTANCE = gitlab.com

Visit:

https://$GITLAB_INSTANCE/dashboard/todos?page=99999999&host=www.google.com

Bug is in Dashboard::TodosController line 10

Likey Same bug in Projects::IssuesController line 32 and other places in the codebase where you redirect_to params.merge(..)

Note, maybe dashboard requires you to be logged in, but maybe more seriously issues controller doesn't.

Another almost identical HackerOne report:

While experimenting with Repository Import functionality on a fresh GitLab 9.0 CE install, I noticed that the continue[to] parameter can be used to perform an Open Redirect through the inclusion of a double-slash prefix.

Proof of Concept

The following Proof of Concept URL enables a malicious actor to execute this redirect against any user – as long as they have permissions to view a certain repository.

http://<instance>/<user>/<repository>/import?continue[to]=//google.com

Observation

I first noticed the continue[to] parameter while receiving the You're not allowed to make changes to this project directly message – demonstrating that edit-level access to the repository in question is not required.