**[HackerOne report #1711497](https://hackerone.com/reports/1711497)** by `burpheart` on 2022-09-25, assigned to @dcouture: [Report](#report) | [How To Reproduce](#how-to-reproduce) ## Report ##### Summary An open redirection vulnerability in gltab oauth. ##### Steps to reproduce 1. visit https://gitlab.com/login/oauth/authorize?redirect_uri=https://hackerone.com/ (No browser rendering required. Requests can be initiated invisibly using html img tags.) 2. visit https://gitlab.com/login/oauth/callback and Redirected to https://hackerone.com/?code Or something like this for one click. The link could be a redirection. ```html <img src=" https://gitlab.com/login/oauth/authorize?redirect_uri=https://hackerone.com/121233"> <a href="https://gitlab.com/login/oauth/callback">click here</a> ``` ##### Impact By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. ##### Examples 1. visit https://gitlab.com/login/oauth/authorize?redirect_uri=https://hackerone.com/ 2. visit https://gitlab.com/login/oauth/callback and Redirected to https://hackerone.com/?code ##### What is the current *bug* behavior? Visit oauth callback Redirected to https://hackerone.com/?code ##### What is the expected *correct* behavior? Callback URLs that pass the check are redirected. ##### Relevant logs and/or screenshots ##### Output of checks This bug happens on GitLab 15.4.0-ee and GitLab.com ###### Results of GitLab environment info System information System: Proxy: no Current User: git Using RVM: no Ruby Version: 2.7.5p203 Gem Version: 3.1.6 Bundler Version:2.3.15 Rake Version: 13.0.6 Redis Version: 6.2.7 Sidekiq Version:6.4.2 Go Version: unknown GitLab information Version: 15.4.0-ee Revision: abbda55531f Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 13.6 URL: http://gitlab.example.com HTTP Clone URL: http://gitlab.example.com/some-group/some-project.git SSH Clone URL: git@gitlab.example.com:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: no Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 14.10.0 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell #### Impact An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance. ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues