Stored XSS via KaTeX

HackerOne report #448970 by jouko on 2018-11-23:

Summary: User-editable Markdown is used a lot on GitLab. Normally hyperlinks are checked for safety. javascript: links are rejected because malicious scripts could be executed if someone clicks on such a link.

The KaTeX library used to render math in Markdown documents however has its own linking syntax without such safety checking. This syntax may be used to inject malicious JavaScript in GitLab's Markdown.

Description: The link syntax can be found in the reference at https://katex.org/docs/supported.html#html

\href{https://katex.org/}{\KaTeX}

Steps To Reproduce:

Go to the Markdown editor, e.g. view a Snippet and enter a comment such as:

$`\href{javascript:alert('hello');}{test}`$

Click Preview to see the Markdown rendered
Click on the link, observe the JavaScript alert box

Supporting Material/References:

Impact

The normal stored XSS impact. The victim is required to click on the link.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

gitlab3.png

Security Issue

https://dev.gitlab.org/gitlab/gitlabhq/issues/2760

Edited Jan 02, 2019 by Constance Okoghenun