Cross-site scripting in Jira Integration affecting self-hosted instances without strict CSP
HackerOne report #1727985 by ryotak
on 2022-10-10, assigned to GitLab Team
:
Report | Attachments | How To Reproduce
Report
Summary
Due to the incomplete fix for CVE-2022-0283, an attacker can execute arbitrary JavaScript on the self-hosted instances without strict CSP.
Description
The following code was added to fix CVE-2022-0283.
app/controllers/jira_connect/users_controller.rb
line 8-20
before_action :verify_return_to_url, only: [:show]
[...]
def verify_return_to_url
return unless params[:return_to].present?
params.delete(:return_to) unless Integrations::Jira.valid_jira_cloud_url?(params[:return_to])
end
app/models/integrations/jira.rb
line 98-102
def self.valid_jira_cloud_url?(url)
return false unless url.present?
!!URI(url).hostname&.end_with?(JIRA_CLOUD_HOST)
end
However, as this fix aims to prevent the open redirect rather than an XSS, it's not validating the URL's scheme, allowing the javascript:
scheme to be specified.
Steps to reproduce
Self-hosted instance (with an alert)
- Set up your own GitLab instance.
- Log in to the GitLab instance.
- Open https://YOUR_OWN_INSTANCE/-/jira_connect/users?return_to=javascript://test.atlassian.net/%250dalert(document.domain)
- Click
Return to GitLab for Jira
. - Confirm that
alert(document.domain)
has been executed.
GitLab.com (with a CSP error message)
- Log in to GitLab.
- Open https://gitlab.com/-/jira_connect/users?return_to=javascript://test.atlassian.net/%250dalert(document.domain)
- Open DevTools.
- Click
Return to GitLab for Jira
. - Confirm that CSP prevented the execution of JavaScript.
Examples
What is the current bug behavior?
javascript:
scheme is allowed as a return URL.
What is the expected correct behavior?
Only http
and https
should be allowed as a scheme.
Relevant logs and/or screenshots
Results of GitLab environment info
System information
System: Ubuntu 20.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.7.5p203
Gem Version: 3.1.6
Bundler Version:2.3.15
Rake Version: 13.0.6
Redis Version: 6.2.7
Sidekiq Version:6.4.2
Go Version: unknown
GitLab information
Version: 15.4.1-ee
Revision: 7b2ed8f038f
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 13.6
URL: https://gl.ryotak.me
HTTP Clone URL: https://gl.ryotak.me/some-group/some-project.git
SSH Clone URL: git@gl.ryotak.me:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 14.10.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Impact
An attacker can execute arbitrary JavaScript on the victim's browser and do any actions on behalf of the user.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: