Dear GitLab bug bounty team,
Gitlab.com is vulnerable to reverse tabnabbing in issues, comments, etc. This is the same type of issue as https://hackerone.com/reports/211065, but far worse since in the previous report only a user with developer access to a project could view the βEnvironmentsβ tab. In this case, the issue affects anywhere where HTML can be added.
By creating a link with https://[email protected]
the parser ignores it and does not add the usual rel="nofollow noreferrer"
which is located on all other links. I discovered this, because I noticed that internal links are treated differently than external links. So in the example above the victim ends up on example.com
, which is where the same scenario as https://hackerone.com/reports/211065 can be performed.
In order to demonstrate this issue the following payload can be used:
<a href="https://[email protected]" target="_blank">Reverse Tabnabbing</a>
The issue appears to lie in the following lines of code:
it 'skips internal links' do
internal = Gitlab.config.gitlab.url
exp = act = %Q(<a href="#{internal}/sign_in">Login</a>)
expect(filter(act).to_html).to eq exp
end
Link to source code: https://github.com/gitlabhq/gitlabhq/blob/master/spec/lib/banzai/filter/external_link_filter_spec.rb#L16-L20
If you require further information feel free to contact me.
Yours sincerely,
Ed