/gcs-redirect has no authentication — unauthenticated GCS object existence probing and open redirect #5197
Description
Summary
The /gcs-redirect endpoint in ClusterFuzz (src/appengine/handlers/gcs_redirector.py, lines 28–40) has no authentication decorator, allowing any unauthenticated request to probe the existence of GCS objects and perform open redirects.
Vulnerable Code
The handler accepts a ?path= parameter, makes a real storage.get() API call to check if the GCS object exists, then redirects to either OBJECT_URL (object exists) or DIRECTORY_URL (object not found).
Additionally, the get_bucket_name_and_path() function does not validate the input format, enabling open redirects to arbitrary GCS URLs using the trusted clusterfuzz.com domain.
Impact
- GCS object enumeration: By observing the redirect target URL, an unauthenticated attacker can determine whether any GCS object exists — enumerating crash reports, fuzzing corpus files, build artifacts, and coverage data
- Open redirect: The trusted clusterfuzz.com domain can redirect users to attacker-controlled GCS URLs, enabling phishing attacks targeting OSS-Fuzz users and security researchers
Suggested Fix
Add authentication decorator to the /gcs-redirect endpoint and validate the path parameter format.