Open Redirect in `InternalRedirect`
Summary
Within app/controllers/concerns/internal_redirect.rb
the safe_redirect_path
method is intended to
assure that no external redirects occur:
module InternalRedirect
extend ActiveSupport::Concern
def safe_redirect_path(path)
return unless path
# Verify that the string starts with a `/` and a known route character.
return unless path =~ %r{^/[-\w].*$}
uri = URI(path)
# Ignore anything path of the redirect except for the path, querystring and,
# fragment, forcing the redirect within the same host.
full_path_for_uri(uri)
rescue URI::InvalidURIError
nil
end
The check return unless path =~ %r{^/[-\w].*$}
however is bypassable as the regular expression uses ^
and $
as anchors.
Those anchors match by line and can be satisfied by single lines within multi-line input e.g.:
not-starting-with-a-slash
/starting/with/a/slash
Steps to reproduce
The following URL demonstrates the issue and will redirect to gitlab.com.phishingsite.bugkraut.de
:
https://gitlab.com/joernchen/xxeserve/-/import?continue[to]=.phishingsite.bugkraut.de?%0a/path
Possible fixes
Replacing the regex anchors by \A
and \z
will catch newlines and fix this issue.
I've got a patch and some test for it ready, I'm just waiting for my dev.gitlab.org
access to push those.