Bypass Open Redirect on Live preview WEB Ide opening
HackerOne report #1613430 by otoyyy
on 2022-06-25, assigned to @rshambhuni:
Report | Attachments | How To Reproduce
Report
NOTE! Thanks for submitting a report! Please note that initial triage is handled by HackerOne staff. They are identified with a
HackerOne triage
badge and will escalate to the GitLab team any. Please replace all the (parenthesized) sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!
Summary
I would like to report a Bypass Open Redirect vulnerability in the Live Preview feature. Using the payload https://gitlab.com@123.123@evil.com
can bypass the fix that has been made in the reports at https://hackerone.com/reports/437142 .
The open
function is still a lot of vulnerability in this problem, But if we use opener
it has a strong defense.
Steps to reproduce
(Step-by-step guide to reproduce the issue, including:)
To verify the vulnerability, I have prepared an if file here https://gitlab.com/-/ide/project/testt1111/poc/edit/main/-/hey.js.
If you want to replicate you can use the steps below:
- Create
create.json
{
"main": "hey.js",
"dependencies": {
"vue": "latest"
}
}
- Create
hey.js
Payload : opener("https://gitlab.com@123.123@evil.com");
-
Open it using Open in Web Ideas.
-
Select Live Preview.
Impact
Bypass Open Redirect to redirect other users to the attacker's domain.
Examples
(If the bug is project related, please create an example project and export it using the project export feature)
(If you are using an older version of GitLab, this will also help determine whether the bug has been fixed in a more recent version)
(If the bug can be reproduced on GitLab.com without violating the Rules of Engagement
as outlined in the program policy, please provide the full path to the project.)
What is the current bug behavior?
The open
javascript function is still a lot of vulnerability in the Ide Web feature. But the opener
function can't make open redirect to attacker url.
What is the expected correct behavior?
The open
function does not make open redirect to an external URL.
Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output,
logs, and code as it's very hard to read otherwise.)
Output of checks
(If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com)
Results of GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info
)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production
)
Impact
Bypass Open Redirect to redirect other users to the attacker's domain.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: