Skip to content

Arbitrary protocol redirection

Summary

GitLab pages can be used to redirect to arbitrary protocols in the authentication flow.

Steps to reproduce

Consider the following URL:

https://projects.gitlab.io/auth?domain=mailto://gitlab-com.gitlab.io?body=OMGWTF&state=aaa

It will, after the login redirect to gitlab.com redirect the user to their mail client.

image

This might be potentially used e.g. on mobile devices to exfiltrate authentication token via custom URL handler.

Example Project

What is the current bug behavior?

Redirect to arbitrary protocols is possible.

What is the expected correct behavior?

Redirect should only be possible to https or http URLs.

Relevant logs and/or screenshots

Output of checks

Possible fixes