CVE-2023-32766 - Untrusted Redirections Leading to XSS in Gitpod Before 2022.11.3

Gitpod, a popular open-source developer platform, recently experienced a Cross-Site Scripting (XSS) vulnerability. This vulnerability, identified as CVE-2023-32766, affected versions of Gitpod prior to 2022.11.3. The vulnerability was discovered due to Gitpod allowing redirections to untrusted protocols, thereby exposing it to potential XSS attacks.

In this long-read post, we will dive deeper into the details of this exploitation and provide you with useful resources, code snippets, and links to original references. Our aim is to help you understand the vulnerability better and guide you through resolving this issue in case you're using an affected version of Gitpod.

Exploit Details

The XSS vulnerability in Gitpod manifests itself because the application accepts redirections to arbitrary protocols, which can be outside the trusted set of three (vscode:, vscode-insiders:, and jetbrains-gateway:). By exploiting this vulnerability, an attacker can potentially execute arbitrary JavaScript within the victim's browser.

Gitpod uses a method called isTrustedRedirect in the redirectvalidator.ts file to check whether a redirection is allowed or not. The vulnerable code snippet is as follows:

// redirectvalidator.ts
function isTrustedRedirect(url: string): boolean {
  return /^(vscode|vscode-insiders|jetbrains-gateway):/.test(url);
}

This code is designed to check if the protocol of the provided URL matches one of the three trusted protocols. However, this check isn't foolproof, as exploiting an overlooked match allows an attacker to craft a malicious URL that injects XSS payloads.

An example of crafting a malicious URL would be

https://gitpod.io/login/oauth/authorize?returnTo=xssattack:%2F%2Fwww.example.com%2F%23%3Cscript%3Ealert(1)%3C%2Fscript%3E

In this example, the URL provided as a parameter bypasses the isTrustedRedirect check and triggers a redirection to "xssattack:" protocol, which eventually executes the embedded script, resulting in an XSS attack.

Mitigation and Fix

To remediate this vulnerability, it's essential to restrict the allowed protocols only to the trusted ones and ensure that only those protocols can pass the isTrustedRedirect check. Gitpod resolved this issue in version 2022.11.3 by adding additional checks and more robust sanitization:

// Updated redirectvalidator.ts
function isTrustedRedirect(url: string): boolean {
  const parsedUrl = new URL(url);
  return /^(vscode|vscode-insiders|jetbrains-gateway):/.test(parsedUrl.protocol);
}

This updated version uses the URL constructor to parse the provided URL and checks for the protocol's presence in the whitelist. After applying these changes, the malicious URL example mentioned earlier will not pass the check and hence, will not lead to an XSS attack.

For more information and details, please refer to the following resources

1. Gitpod Security Advisory: GHSA-2qc2-hcxr-xjq4
2. Gitpod Patch Commit: Fix Open-Redirect / XSS vulnerability (#7185)
3. Gitpod Repository: gitpod-io/gitpod

Conclusion

CVE-2023-32766 demonstrates the importance of properly validating and sanitizing user inputs, especially when it comes to URL redirections. By restricting the allowed protocols only to the trusted ones, Gitpod has resolved the issue in version 2022.11.3. If you're using an affected version of Gitpod, make sure to update it to protect yourself from potential XSS attacks.

Timeline

Published on: 06/05/2023 15:15:00 UTC
Last modified on: 06/09/2023 22:42:00 UTC