Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Snippets
  • Sign up now
  • Login
  • Sign in / Register
  • GitLab FOSS GitLab FOSS
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 1
    • Issues 1
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 0
    • Merge requests 0
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLab FOSSGitLab FOSS
  • Issues
  • #36098
Closed
Open
Issue created Aug 07, 2017 by Ernst van Nierop@ernstvn-gitlabContributor

White-listed style attribute for table contents in MD enables UI redressing

From external security tests, https://gitlab.com/gitlab-com/infrastructure/issues/2438:

  • Effort: Low
  • Impact: Low
  • Location: Markdown

Details

It was discovered that the Gitlab markdown parser (i.e. for rendered MD files and alike) removes style attributes to avoid UI redressing attacks. This is a safe default and recommended. However, <TH> and <TD> elements (and seemingly only these) can in fact be applied with style attributes for unknown reasons. This allows an attacker to create styles for a <TH> or <TD> element that produce an absolutely positioned overlay that can be used for Phishing and UI redressing purposes. The following example snipped illustrates the Markdown necessary for a PoC attack.

<table><tr><td style="position: fixed; top: 0px; left: 0px; height:
50px; width: 50px; background: red; z-index: 999; font-size: 36px;">
<div>Please click <u>here</u> to legitely change your passwerd.</div>
</td></tr></table>

Note that the attacker can also overlay existing links with transparent panels and thus can have every click a user performs redirected to a different origin.

Reproduction Steps

  • Create a file with the sample HTML content seen above
  • Upload that file to a repository in Gitlab
  • Click on the uploaded file to render it

Recommendation

No element should have the possibility to carry style attributes. If style attributes are necessary, a CSS sanitizer should be utilized that prohibits the use of positioning directives and transparency properties.

Assignee
Assign to
Time tracking