Skip to content

XSS in all areas that accept markdown

HackerOne report #633942 by samuelmortenson on 2019-07-02, assigned to estrike:

Summary

Gitlab issue descriptions and other areas that accept markdown like .md files in repositories are vulnerable to cross site scripting.

Steps to reproduce

  1. Visit any area in Gitlab that accepts markdown (easiest for me is the new issue form)
  2. Copy the code from this gist exactly into the markdown textarea: https://gist.github.com/mortenson/55c60006e336c3c4327d62365fcf04d4
  3. Click "Preview", or submit the form and load the subsequent page
  4. See XSS triggered

I verified that this is exploitable on Gitlab.com, and locally in my instance of Gitlab CE.

Impact

Any users visiting the page with this payload can have arbitrary JavaScript ran in their user session.

Examples

I created a private project on Gitlab with an issue that triggers XSS: https://gitlab.com/mortenson/test/issues/1

What is the current bug behavior?

When this specially crafted string is rendered by Gitlab, it results in this output:

&#x000A;<img src="o.O" onerror="alert(`samwashere`)">&#x000A;<iframe></iframe>

Which immediately triggers the onerror code on page load.

What is the expected correct behavior?

The onerror attribute (and any attribute that starts with on) should be stripped before HTML is rendered. I wonder if iframe tags should be allowed as well.

Relevant logs and/or screenshots

n/a

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

For my local Gitlab CE instance:

$ docker exec 34dd265dab84 gitlab-rake gitlab:env:info

System information  
System:  
Current User:	git  
Using RVM:	no  
Ruby Version:	2.6.3p62  
Gem Version:	2.7.9  
Bundler Version:1.17.3  
Rake Version:	12.3.2  
Redis Version:	3.2.12  
Git Version:	2.21.0  
Sidekiq Version:5.2.7  
Go Version:	unknown

GitLab information  
Version:	12.0.2  
Revision:	1a9fd38a4ca  
Directory:	/opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:	PostgreSQL  
DB Version:	10.7  
URL:		http://gitlab.example.com  
HTTP Clone URL:	http://gitlab.example.com/some-group/some-project.git  
SSH Clone URL:	git@gitlab.example.com:some-group/some-project.git  
Using LDAP:	no  
Using Omniauth:	yes  
Omniauth Providers:

GitLab Shell  
Version:	9.3.0  
Repository storage paths:  
- default: 	/var/opt/gitlab/git-data/repositories  
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell  
Git:		/opt/gitlab/embedded/bin/git

Impact

Any that is feasible with XSS - data loss, forwarding of private information, potentially user session hijacking, phishing to get the user to re-enter their password, etc.

Security issue: https://dev.gitlab.org/gitlab/gitlabhq/issues/2896

Edited by Jan Provaznik