Skip to content

Open Redirect in `InternalRedirect`

Summary

Within app/controllers/concerns/internal_redirect.rb the safe_redirect_path method is intended to assure that no external redirects occur:


module InternalRedirect
  extend ActiveSupport::Concern

  def safe_redirect_path(path)
    return unless path
    # Verify that the string starts with a `/` and a known route character.
    return unless path =~ %r{^/[-\w].*$}

    uri = URI(path)
    # Ignore anything path of the redirect except for the path, querystring and,
    # fragment, forcing the redirect within the same host.
    full_path_for_uri(uri)
  rescue URI::InvalidURIError
    nil
  end

The check return unless path =~ %r{^/[-\w].*$} however is bypassable as the regular expression uses ^ and $ as anchors. Those anchors match by line and can be satisfied by single lines within multi-line input e.g.:

not-starting-with-a-slash
/starting/with/a/slash

Steps to reproduce

The following URL demonstrates the issue and will redirect to gitlab.com.phishingsite.bugkraut.de:

https://gitlab.com/joernchen/xxeserve/-/import?continue[to]=.phishingsite.bugkraut.de?%0a/path

Possible fixes

Replacing the regex anchors by \A and \z will catch newlines and fix this issue. I've got a patch and some test for it ready, I'm just waiting for my dev.gitlab.org access to push those.