XSS for Markdown elements where [[_TOC_]] is enabled
Via HackerOne https://hackerone.com/reports/353713
Summary
In wiki, the filter for replacing a [[_TOC_]]
with Table of Contents is enabled.
I'm pretty certain the issue is here:
https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/banzai/filter/table_of_contents_filter.rb#L69
result[:toc] << %Q{<li><a href="##{header_node.href}">#{header_node.text}</a>}
What's basically happens here is that .text
has the value as a text-item, so <
would not be as entities, but instead as the real <
. So by creating the following content on a wiki-page:
[[_TOC_]]
# <img src=x onerror=alert(document.domain)>
The TOC will be generated, but the escaped img-tag will be rendered, and the onerror-attribute will trigger, running the javascript provided:
{F298848}
Mitigation
Make sure the content of the anchor is still escaped when moved to the TOC.
Impact
This is a pretty bad issue, since this creates a stored XSS on every place the TOC filter is enabled, the Wiki being one.
Regards, Frans
The hacker selected the Cross-site Scripting (XSS) - Stored weakness. This vulnerability type requires contextual information from the hacker. They provided the following answers:
Verified
Yes
What is the current bug behavior?
Content following [[TOC]] is rendered as HTML.
What is the expected correct behavior?
No script execution.
Relevant logs and/or screenshots
Note that this is present in the "Preview" as well: