Omniauth `google_auth2/omniauth_error` endpoint renders arbitrary error message

HackerOne report #438746 by h33t on 2018-11-10:

Hi,

While testing gitlab i have come across a bug where it seemed like users can get manipulated or malicious message could be spread by that vulnerable URL.

Content spoofing is a type of exploit used by a malicious hackers to present a faked or modified Web site to the user as if it were legitimate. The intent is, typically, to defraud victims although sometimes the purpose is simply to misrepresent an organization or an individual.

URL: https://gitlab.com/users/auth/google_oauth2/omniauth_error?error=Please+Go+To+Evil.com+This+Site+Is+Broken

#Reproduction Steps

• Access the URL

• In the error parameter put your message.

Impact

One thing i have thought of this attack is that attackers might try to publish such url in google using seo so then you dont need to send it to a specific user to show the message. If they can publish it on search engines easily a lot of users will get the malicious message of the attacker.

---

From the Security Department:

Fixed error messages should be displayed for valid error codes from the OAuth specification, any invalid error code should render a "Invalid error code received" or other generic error message.