Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #378214
Closed
Open
Issue created Oct 17, 2022 by GitLab SecurityBot@gitlab-securitybotReporter

Cross-site scripting in Jira Integration affecting self-hosted instances without strict CSP

HackerOne report #1727985 by ryotak on 2022-10-10, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

Due to the incomplete fix for CVE-2022-0283, an attacker can execute arbitrary JavaScript on the self-hosted instances without strict CSP.

Description

The following code was added to fix CVE-2022-0283.

app/controllers/jira_connect/users_controller.rb line 8-20

  before_action :verify_return_to_url, only: [:show]  
  [...]  
  def verify_return_to_url  
    return unless params[:return_to].present?

    params.delete(:return_to) unless Integrations::Jira.valid_jira_cloud_url?(params[:return_to])  
  end  

app/models/integrations/jira.rb line 98-102

    def self.valid_jira_cloud_url?(url)  
      return false unless url.present?

      !!URI(url).hostname&.end_with?(JIRA_CLOUD_HOST)  
    end  

However, as this fix aims to prevent the open redirect rather than an XSS, it's not validating the URL's scheme, allowing the javascript: scheme to be specified.

Steps to reproduce
Self-hosted instance (with an alert)
  1. Set up your own GitLab instance.
  2. Log in to the GitLab instance.
  3. Open https://YOUR_OWN_INSTANCE/-/jira_connect/users?return_to=javascript://test.atlassian.net/%250dalert(document.domain)
  4. Click Return to GitLab for Jira.
  5. Confirm that alert(document.domain) has been executed.
GitLab.com (with a CSP error message)
  1. Log in to GitLab.
  2. Open https://gitlab.com/-/jira_connect/users?return_to=javascript://test.atlassian.net/%250dalert(document.domain)
  3. Open DevTools.
  4. Click Return to GitLab for Jira.
  5. Confirm that CSP prevented the execution of JavaScript.
Examples

https://gitlab.com/-/jira_connect/users?return_to=javascript://test.atlassian.net/%250dalert(document.domain)

What is the current bug behavior?

javascript: scheme is allowed as a return URL.

What is the expected correct behavior?

Only http and https should be allowed as a scheme.

Relevant logs and/or screenshots

2022-10-10_13-02-36.mp4

Results of GitLab environment info
System information  
System:         Ubuntu 20.04  
Proxy:          no  
Current User:   git  
Using RVM:      no  
Ruby Version:   2.7.5p203  
Gem Version:    3.1.6  
Bundler Version:2.3.15  
Rake Version:   13.0.6  
Redis Version:  6.2.7  
Sidekiq Version:6.4.2  
Go Version:     unknown

GitLab information  
Version:        15.4.1-ee  
Revision:       7b2ed8f038f  
Directory:      /opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:     PostgreSQL  
DB Version:     13.6  
URL:            https://gl.ryotak.me  
HTTP Clone URL: https://gl.ryotak.me/some-group/some-project.git  
SSH Clone URL:  git@gl.ryotak.me:some-group/some-project.git  
Elasticsearch:  no  
Geo:            no  
Using LDAP:     no  
Using Omniauth: yes  
Omniauth Providers:

GitLab Shell  
Version:        14.10.0  
Repository storage paths:  
- default:      /var/opt/gitlab/git-data/repositories  
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell  

Impact

An attacker can execute arbitrary JavaScript on the victim's browser and do any actions on behalf of the user.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • 2022-10-10_13-02-36.mp4

How To Reproduce

Please add reproducibility information to this section:

Assignee
Assign to
Time tracking