Skip to content
GitLab
Next
Closed
Issue created by Ernst van Nierop@ernstvn-gitlabContributor

White-listed style attribute for table contents in MD enables UI redressing

From external security tests, https://gitlab.com/gitlab-com/infrastructure/issues/2438:

  • Effort: Low
  • Impact: Low
  • Location: Markdown

Details

It was discovered that the Gitlab markdown parser (i.e. for rendered MD files and alike) removes style attributes to avoid UI redressing attacks. This is a safe default and recommended. However, <TH> and <TD> elements (and seemingly only these) can in fact be applied with style attributes for unknown reasons. This allows an attacker to create styles for a <TH> or <TD> element that produce an absolutely positioned overlay that can be used for Phishing and UI redressing purposes. The following example snipped illustrates the Markdown necessary for a PoC attack.

<table><tr><td style="position: fixed; top: 0px; left: 0px; height:
50px; width: 50px; background: red; z-index: 999; font-size: 36px;">
<div>Please click <u>here</u> to legitely change your passwerd.</div>
</td></tr></table>

Note that the attacker can also overlay existing links with transparent panels and thus can have every click a user performs redirected to a different origin.

Reproduction Steps

  • Create a file with the sample HTML content seen above
  • Upload that file to a repository in Gitlab
  • Click on the uploaded file to render it

Recommendation

No element should have the possibility to carry style attributes. If style attributes are necessary, a CSS sanitizer should be utilized that prohibits the use of positioning directives and transparency properties.