XSS in all areas that accept markdown
HackerOne report #633942 by samuelmortenson
on 2019-07-02, assigned to estrike
:
Summary
Gitlab issue descriptions and other areas that accept markdown like .md
files in repositories are vulnerable to cross site scripting.
Steps to reproduce
- Visit any area in Gitlab that accepts markdown (easiest for me is the new issue form)
- Copy the code from this gist exactly into the markdown textarea: https://gist.github.com/mortenson/55c60006e336c3c4327d62365fcf04d4
- Click "Preview", or submit the form and load the subsequent page
- See XSS triggered
I verified that this is exploitable on Gitlab.com, and locally in my instance of Gitlab CE.
Impact
Any users visiting the page with this payload can have arbitrary JavaScript ran in their user session.
Examples
I created a private project on Gitlab with an issue that triggers XSS: https://gitlab.com/mortenson/test/issues/1
What is the current bug behavior?
When this specially crafted string is rendered by Gitlab, it results in this output:

<img src="o.O" onerror="alert(`samwashere`)">
<iframe></iframe>
Which immediately triggers the onerror
code on page load.
What is the expected correct behavior?
The onerror
attribute (and any attribute that starts with on
) should be stripped before HTML is rendered. I wonder if iframe
tags should be allowed as well.
Relevant logs and/or screenshots
n/a
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
For my local Gitlab CE instance:
$ docker exec 34dd265dab84 gitlab-rake gitlab:env:info
System information
System:
Current User: git
Using RVM: no
Ruby Version: 2.6.3p62
Gem Version: 2.7.9
Bundler Version:1.17.3
Rake Version: 12.3.2
Redis Version: 3.2.12
Git Version: 2.21.0
Sidekiq Version:5.2.7
Go Version: unknown
GitLab information
Version: 12.0.2
Revision: 1a9fd38a4ca
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 10.7
URL: http://gitlab.example.com
HTTP Clone URL: http://gitlab.example.com/some-group/some-project.git
SSH Clone URL: git@gitlab.example.com:some-group/some-project.git
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 9.3.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Impact
Any that is feasible with XSS - data loss, forwarding of private information, potentially user session hijacking, phishing to get the user to re-enter their password, etc.
Security issue: https://dev.gitlab.org/gitlab/gitlabhq/issues/2896