Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • G gitlab-pages
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 254
    • Issues 254
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 17
    • Merge requests 17
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • gitlab-pages
  • Issues
  • #728
Closed
Open
Issue created Apr 04, 2022 by Joern Schneeweisz@joernchenDeveloper

Arbitrary protocol redirection

Summary

GitLab pages can be used to redirect to arbitrary protocols in the authentication flow.

Steps to reproduce

Consider the following URL:

https://projects.gitlab.io/auth?domain=mailto://gitlab-com.gitlab.io?body=OMGWTF&state=aaa

It will, after the login redirect to gitlab.com redirect the user to their mail client.

image

This might be potentially used e.g. on mobile devices to exfiltrate authentication token via custom URL handler.

Example Project

What is the current bug behavior?

Redirect to arbitrary protocols is possible.

What is the expected correct behavior?

Redirect should only be possible to https or http URLs.

Relevant logs and/or screenshots

Output of checks

Possible fixes

Assignee
Assign to
Time tracking