draw.io OAuth GitLab URL Override Vulnerability Leading to Credential Phishing and Token Exfiltration

A vulnerability in draw.io prior to version 29.7.9 allows the GitLab server URL used during OAuth sign-in to be overridden with a crafted link. This unvalidated URL parameter redirect can lead to credential phishing and exfiltration of session state tokens. When a user clicks 'Authorize in GitLab', a popup opens on the attacker-controlled host instead of the intended GitLab site. The issue affects users of draw.io deployments, including the public instance at app.diagrams.net, who open links with the vulnerable parameter from untrusted sources.

Impact

Exploitation of this vulnerability could result in unauthorized access to a user's GitLab account through credential phishing, as well as the exfiltration of session state tokens, which could be used to manipulate the user's draw.io session.

Reproduction

To reproduce this vulnerability, open a link to a draw.io instance that includes a 'gitlab' URL parameter pointing to an attacker-controlled site. Ensure the draw.io version is prior to 29.7.9. When prompted to authorize with GitLab, the popup will redirect to the attacker's site instead of GitLab, demonstrating the vulnerability.

Remediation

Users can upgrade to draw.io version 29.7.9 or later, where this vulnerability is patched. Self-hosted GitLab operators must set 'enableCustomGitLabUrl: true' in their configuration to use the GitLab integration, but should be aware of the associated risks.