Skip to content

GitLab Next

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
GitLab FOSS
GitLab FOSS
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 0
    • Issues 0
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
    • Iterations
  • Merge Requests 1
    • Merge Requests 1
  • Requirements
    • Requirements
    • List
  • Security & Compliance
    • Security & Compliance
    • Dependency List
    • License Compliance
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Code Review
    • Insights
    • Issue
    • Repository
    • Value Stream
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
  • GitLab.org
  • GitLab FOSSGitLab FOSS
  • Issues
  • #26411

Closed
Open
Opened Jan 06, 2017 by Brian Neel@briannContributor

User reported XSS vulnerability

A user contacted us via the security email address to report the following issue:

Hello Gitlab Security team,

I'm writing because I noticed an issue this morning while working on my wife's blog which rapidly turned into a full blown me drafting a POC of a vulnerability in the restructuredtext parser on of gitlab.

The issue is that the .. raw:: html directive is parsed fully in your system's .rst parser, which means that an attacker can embed raw html into the dispayed output to users. This includes inline JS. The POC is dormant as it has an invalid user ID, however if a valid one were supplied it would make that user a master in the 1st project of any user unfortunate enough to display it.

You can imagine what could happen if this were made the README of a project. It could easily be used as a worm allowing an attacker to slowly take control of more repositories as users visited them.

I have attached my POC so that you can validate the issue yourselves in a PRIVATE repository so that things don't rapidly spiral out of hand.

I believe in the tool that you are using to parse the .. raw:: directive can be disabled. This should solve the security issue immediately.

I would like to mention at this time that I would like to be publicly acknowledged for this research and disclosure once it is resolved and publicized

Thank you.

Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: gitlab-org/gitlab-foss#26411