Skip to content

XSS for Markdown elements where [[_TOC_]] is enabled

Via HackerOne https://hackerone.com/reports/353713

Summary

In wiki, the filter for replacing a [[_TOC_]] with Table of Contents is enabled.

I'm pretty certain the issue is here:

https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/banzai/filter/table_of_contents_filter.rb#L69
result[:toc] << %Q{<li><a href="##{header_node.href}">#{header_node.text}</a>}

What's basically happens here is that .text has the value as a text-item, so < would not be as entities, but instead as the real <. So by creating the following content on a wiki-page:

[[_TOC_]]
# &lt;img src=x onerror=alert(document.domain)&gt;

The TOC will be generated, but the escaped img-tag will be rendered, and the onerror-attribute will trigger, running the javascript provided:

{F298848}

Mitigation

Make sure the content of the anchor is still escaped when moved to the TOC.

Impact

This is a pretty bad issue, since this creates a stored XSS on every place the TOC filter is enabled, the Wiki being one.

Regards, Frans

The hacker selected the Cross-site Scripting (XSS) - Stored weakness. This vulnerability type requires contextual information from the hacker. They provided the following answers:

Verified

Yes

What is the current bug behavior?

Content following [[TOC]] is rendered as HTML.

What is the expected correct behavior?

No script execution.

Relevant logs and/or screenshots

Note that this is present in the "Preview" as well:

Edit___Home___Wiki___test2___testing___GitLab

Edited by James Ritchey