HackerOne Reported issue: CSRF token leakage via JS and location.pathname manipulation
Title: CSRF-Token leak by request forgery
Weakness: Cross-Site Request Forgery (CSRF)
Severity: Medium (6.3)
Date: 2017-04-16 18:18:57 +0000
I found the following issue in my own Gitlab installation.
This is a request forgery that reveals the Rails
authenticity_token remotely, which in turn allows mounting state-changing CSRF attacks.
The web app code relies on
location.pathname in a number of places to create new relative URLs.
Now, a forged link containing
//namespace/repo/ will make these URLs absolute because of the leading double slashes. I was able to create an
attack.com namespace which translates to
The app will then send a request including the anti-CSRF token to an attacker controlled domain. Which it definitely should not, ever (see point 2. below).
A malicious web page and the coordinated server will be able to perform actions through the victim's browser in a second.
Issues of this kind should be fixed globally, since the code is recent and developers are likely to introduce more
document.location dependencies regularly.
Validate or normalize requested URLs against //, /../, and co. This can be done in Rails or in JS, or both.
Forbid cross-domain requests in all
Best regards, Aurel