HackerOne report: Markdown link filter improperly parses hostname, vulnerable to tabnabbing (#29374) · Issues · GitLab.org / GitLab FOSS

HackerOne report: Markdown link filter improperly parses hostname, vulnerable to tabnabbing

We received a HackerOne report that the markdown link filter in GitLab does not properly parse the user@host field of a URL. This allows an attacker to have an external link tagged as internal, which prevents anchor tags such as target=_blank from being removed. An attacker including target=_blank can then use tabnabbing attacks to inject data into the calling web page.

The full report is below:

Summary

Gitlab.com is vulnerable to reverse tabnabbing in issues, comments, etc. This is the same type of issue as https://hackerone.com/reports/211065, but far worse since in the previous report only a user with developer access to a project could view the "Environments" tab. In this case, the issue affects anywhere where HTML can be added.

Why does this vulnerability exist?

By creating a link with https://gitlab.com@example.com the parser ignores it and does not add the usual rel="nofollow noreferrer" which is located on all other links. I discovered this, because I noticed that internal links are treated differently than external links. So in the example above the victim ends up on example.com, which is where the same scenario as https://hackerone.com/reports/211065 can be performed.

In order to demonstrate this issue the following payload can be used:

Reverse Tabnabbing

Where does the issue lie?

The issue appears to lie in the following lines of code:
def external_url?(url)
   !url.start_with?(internal_url)
end

We received a [HackerOne report](https://hackerone.com/reports/212629) that the markdown link filter in GitLab does not properly parse the `user@host` field of a URL. This allows an attacker to have an external link tagged as internal, which prevents anchor tags such as `target=_blank` from being removed. An attacker including `target=_blank` can then use tabnabbing attacks to inject data into the calling web page.

The full report is below:

>>>
## Summary

Gitlab.com is vulnerable to reverse tabnabbing in issues, comments, etc. This is the same type of issue as https://hackerone.com/reports/211065, but far worse since in the previous report only a user with developer access to a project could view the "Environments" tab. In this case, the issue affects anywhere where HTML can be added.

### Why does this vulnerability exist?

By creating a link with https://gitlab.com@example.com the parser ignores it and does not add the usual rel="nofollow noreferrer" which is located on all other links. I discovered this, because I noticed that internal links are treated differently than external links. So in the example above the victim ends up on example.com, which is where the same scenario as https://hackerone.com/reports/211065 can be performed.

In order to demonstrate this issue the following payload can be used:

<a href="https://gitlab.com@example.com" target="_blank">Reverse Tabnabbing</a>

### Where does the issue lie?

The issue appears to lie in the following lines of code:

```ruby
def external_url?(url)
   !url.start_with?(internal_url)
end
```

>>>

Discussion
Designs

HackerOne report: Markdown link filter improperly parses hostname, vulnerable to tabnabbing

Summary

Why does this vulnerability exist?

Where does the issue lie?

Related issues