Oauth2 authentication flow doesn't enforce HTTPS redirect URL
HackerOne report #1000099 by xgbi on 2020-10-06, assigned to @ankelly:
Report
> NOTE! Thanks for submitting a report! Please replace all the (parenthesized) sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!
Summary
The Oauth login that allows 3rd party apps to access the Gitlab API allows for non-HTTPS return URLs, exposing the authorization code, and possibly the authorization tokens if the Oauth2 flow is implicit.
Steps to reproduce
(Step-by-step guide to reproduce the issue, including:)
I encountered this on Shuttleops.io, they have an HTTP redirect_uri:
1/ Go to https://app.shuttleops.io/signin
2/ Click on the gitlab icon, it redirects you to https://gitlab.com/oauth/authorize?client_id=03cf4a803ac636e5b443ebd78291dc7ea35d1196d23d94323e9f2901997c3f01&redirect_uri=http://app.shuttleops.io/login/oauth2/code/gitlab&response_type=code&scope=api&state=xxx%3D
3/ If you click authorize, you are redirected to an HTTP page with the authorization_code passed in plain text over the internet.
This is very sensitive information, and if you allow implicit authentication flow, then the actual authentication tokens are passed in clear text.
Impact
If you click authorize, you are redirected to an HTTP page with the authorization_code passed in plain text over the internet.
This is very sensitive information, and if you allow implicit authentication flow, then the actual authentication tokens are passed in clear text.
Since any app can select broad requirements, anybody sniffing the network at that time can catch the auth token and impersonate the user on Gitlab with the authorizations of the app.
Examples
See the HAR attached. I have since revoked the authorizations of the App.
What is the current bug behavior?
You should NOT be able to specify a non-HTTPS redirect_url in Oauth2 authorize request.
What is the expected correct behavior?
You should see an error if you reach the authorize page without an HTTPS scheme in the redirect uri.
Relevant logs and/or screenshots
See Oauth Threat Model RFC: https://tools.ietf.org/html/rfc6819#page-27 where it is said that you should validate redirect_uri to make sure that secure return channel is used
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Impact
An attacker could impersonate anybody accepting a third party application, and benefit the 3rd party application authorizations (the scopes).
This could be very broad since Gitlab allows 3rd party apps to have R/W access on the API