Ability to change real URL in the slack messages generated by slack integration, possibility to direct user to malicious site to steal login data

HackerOne report #1310778 by rafaltrojniak on 2021-08-18, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

Slack integration is vulnerable to injecting malicious slack macros to slack messages generated by this integration.
As an example, those slack macros can derieve the user and force him to to open malicious URL instead of legit gitlab url.

Steps to reproduce

Preconditions:

• Gitlab project that is open for MergeRequests from anyone
• This gitlab project has Slack integration enabled and configured, and people look at those slack messages.

User action leading to exploitation:

• Fork the original project
• Create a branch
• Create MergeRequest from forked repository to original repository with injected slack macros in the MergeRequest title. Example macro aiming to change URL is ><http://evil.localhost|Some MR title
  This will create MergeRequest and trigger slack notification with URL changed to malicious for MR description part.
• Change MergeRequest title to something not suspicious, like Some MR title. This does not send slack notification, only leaves the event in the gitlab MR history.

User action:

Using slack user clicks on the title in notification created by gitlab-slack integration

Impact

User is mislead and can click on the link that will direct him to malicious site.

Examples

This is a link to example malicious MergeRequest
https://gitlab.com/rafaltrojniak/bugbounty/-/merge_requests/1

This is my private project, but will also work in the forking scenario described above.

What is the current bug behavior?

Slack macros found in MergeRequest title are interpreted by the slack when notification is sent, and allowing to mislead user.

What is the expected correct behavior?

Slack macros found in the MergeRequest title should be displayed 'as is', without interpreting them by slack. They should be properly escaped as described here https://api.slack.com/reference/surfaces/formatting#escaping .

Relevant logs and/or screenshots

Screenshot of such notification generated by above MR is here Przechwycenie_obrazu_ekranu_2021-08-18_17-36-32.png

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

This bug happens on GitLab.com

Impact

User that clicks the link without checking can be directed to site outside of scope of gitlab (either gitlab.com or personal gitlab instance).
This link that is usually treated as save may lead the client to any malicious site that could continue attack.
Possible impacts are:

• Further exploitation of the client (like attacks against browser, local network infrastructure and such)
• Misleading the user and convince to share login credentials

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Przechwycenie_obrazu_ekranu_2021-08-18_17-36-32.png

How To Reproduce

Please add reproducibility information to this section: