Stored XSS for Environments
HackerOne report #426577 by xanbanx on 2018-10-21:
Hi GitLab security team.
I found a stored XSS vulnerability related to environments. Environments have an associated environment URL. This URL is susceptible to XSS attacks since it allows the javascript
pseudo protocol with proper XSS payload. The generated URL is visible to all users with merge request access, which is highly critical for internal and public projects.
Steps To Reproduce:
This was tested on GitLab 11.4.0-rc8-e
- Create a project
- Add the following
.gitlab-ci.yml
deploy_staging:
stage: deploy
script:
- echo "Deploy to staging server"
environment:
name: test
url: javascript://gitlab.com/xanbanx%0aalert(1)
-
Create a new merge request and let the CI job run
-
Click on
View app
to trigger the XSS vulnerability. Note that this button is visible to all users who have access to the project. -
This XSS can also be triggered on
hxxps://gitlab.com/<namespace>/<project>/environments
and onhxxps://gitlab.com/<namespace>/<project>/environments/<env_id>
by opening the environment of viewing the deployment
A similar vulnerabilty can be crafted by creating an environment manually:
- Goto hxxps://gitlab.com/<namespace>/<project>/environments
- Create a new environment with: name : test External url : javascript://gitlab.com/xanbanx%0aalert(1)
- This XSS can also be triggered on
hxxps://gitlab.com/<namespace>/<project>/environments
and onhxxps://gitlab.com/<namespace>/<project>/environments/<env_id>
by opening the environment of viewing the deployment
Mitigation
Only allow http(s)
for the environment URL.
Impact
The stored XSS is triggering for anyone who read a merge request, also triggering on gitlab.com, and it can trigger on public repositories. The PoC can easily be extended to steal the users CSRF token, modify their email address to, e.g., takeover their account, or steal other private information.