Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #29580
Closed
Open
Issue created Jun 18, 2019 by GitLab SecurityBot@gitlab-securitybotReporter

ESCALATED: Lack Of State Parameter On Github Import Project Oauth

HackerOne report #605576 by aryan2808 on 2019-06-10, assigned to jmatos_bgtvf:

Hi Gitlab Security Team,

Summary :

Gitlab Allow Users To Import Projects From Various Company Like Github , Importing Project From Github To Gitlab Suffers From Lack Of State Parameter Which Allows Attacker To Connect His Github To Victim Gitlab Import Project Function Moreover Interesting Thing Is There Is No Option to Disconnect Github Account On This Function.

Steps To Reproduce :

  1. Attacker Navigate To Create Project > Import Project > Github
    URL : https://gitlab.com/import/github/new

  2. Attacker Authorize His Github Account Via List Your Github Function.

  3. As There Is No State Parameter On Request Attacker Capture The Request And Pass That Request To Victim.

  4. Upon Opening Link Attacker Github Connect To Import Function For Forever , There Is No Option to Disconnect Github Account On This Function.

HTTP Request :

GET /users/auth/-/import/github/callback?code=2d162be301039cd44cf4 HTTP/1.1
Host: gitlab.com
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3
Referer: https://github.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie:

Mitigation :

Implement The State Parameter.

Thanks,
Aryan.

Impact

Attacker Could Connect His Github Account To Import Function For Forever

Edited Nov 27, 2019 by GitLab SecurityBot
Assignee
Assign to
Time tracking