Stored XSS in any Markdown field due to Mermaid
Link: https://hackerone.com/reports/341689 By: @fransrosen
I read that Gitlab had enabled Mermaid and started to test it a bit.
I noticed that the following Markdown in Gitlab:
Will end up in the following output:
This is a pretty bad issue, since this creates a stored XSS on every place the markdown comments are possible, which is almost everywhere in Gitlab. I would suggest you to disable this, or make sure it's not possible to inject HTML using Mermaid.
The hacker selected the Cross-site Scripting (XSS) - Stored weakness. This vulnerability type requires contextual information from the hacker. They provided the following answers:
2018-04-21 23:01:40 +0000: @fransrosen (comment)
Here's a similar payload but using Mermaid-escaped
```mermaid graph LR id1["<img src=x onerror=alert#lpar;document.domain#rpar;>"] ```