Cross-site scripting in Jira Integration affecting self-hosted instances without strict CSP

HackerOne report #1727985 by ryotak on 2022-10-10, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

Due to the incomplete fix for CVE-2022-0283, an attacker can execute arbitrary JavaScript on the self-hosted instances without strict CSP.

Description

The following code was added to fix CVE-2022-0283.

app/controllers/jira_connect/users_controller.rb line 8-20

  before_action :verify_return_to_url, only: [:show]  
  [...]  
  def verify_return_to_url  
    return unless params[:return_to].present?

    params.delete(:return_to) unless Integrations::Jira.valid_jira_cloud_url?(params[:return_to])  
  end  

app/models/integrations/jira.rb line 98-102

    def self.valid_jira_cloud_url?(url)  
      return false unless url.present?

      !!URI(url).hostname&.end_with?(JIRA_CLOUD_HOST)  
    end  

However, as this fix aims to prevent the open redirect rather than an XSS, it's not validating the URL's scheme, allowing the javascript: scheme to be specified.

Steps to reproduce

Self-hosted instance (with an alert)

1. Set up your own GitLab instance.
2. Log in to the GitLab instance.
3. Open https://YOUR_OWN_INSTANCE/-/jira_connect/users?return_to=javascript://test.atlassian.net/%250dalert(document.domain)
4. Click Return to GitLab for Jira.
5. Confirm that alert(document.domain) has been executed.

GitLab.com (with a CSP error message)

1. Log in to GitLab.
2. Open https://gitlab.com/-/jira_connect/users?return_to=javascript://test.atlassian.net/%250dalert(document.domain)
3. Open DevTools.
4. Click Return to GitLab for Jira.
5. Confirm that CSP prevented the execution of JavaScript.

Examples

https://gitlab.com/-/jira_connect/users?return_to=javascript://test.atlassian.net/%250dalert(document.domain)

What is the current bug behavior?

javascript: scheme is allowed as a return URL.

What is the expected correct behavior?

Only http and https should be allowed as a scheme.

Relevant logs and/or screenshots

2022-10-10_13-02-36.mp4

Results of GitLab environment info

System information  
System:         Ubuntu 20.04  
Proxy:          no  
Current User:   git  
Using RVM:      no  
Ruby Version:   2.7.5p203  
Gem Version:    3.1.6  
Bundler Version:2.3.15  
Rake Version:   13.0.6  
Redis Version:  6.2.7  
Sidekiq Version:6.4.2  
Go Version:     unknown

GitLab information  
Version:        15.4.1-ee  
Revision:       7b2ed8f038f  
Directory:      /opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:     PostgreSQL  
DB Version:     13.6  
URL:            https://gl.ryotak.me  
HTTP Clone URL: https://gl.ryotak.me/some-group/some-project.git  
SSH Clone URL:  git@gl.ryotak.me:some-group/some-project.git  
Elasticsearch:  no  
Geo:            no  
Using LDAP:     no  
Using Omniauth: yes  
Omniauth Providers:

GitLab Shell  
Version:        14.10.0  
Repository storage paths:  
- default:      /var/opt/gitlab/git-data/repositories  
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell  

Impact

An attacker can execute arbitrary JavaScript on the victim's browser and do any actions on behalf of the user.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• 2022-10-10_13-02-36.mp4

How To Reproduce

Please add reproducibility information to this section: