Stored XSS in link to package using homepage in package.json when project is private
The corresponding issue: https://dev.gitlab.org/gitlab/gitlabhq/issues/2702
Link: https://hackerone.com/reports/388611
By: @fransrosen
Details: Hi,
When a package.json is present in the repository, the blob-viewer will show the following notice while browsing the repository:
The logic of this popup is here:
https://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/models/blob_viewer/package_json.rb
The problem is, whenever the package is set into private, the URL to the package is decided by the "homepage"-property of the package.json.
By setting it to:
javascript:alert(document.domain)
like this:
{
"name": "axx",
"private":true,
"homepage": "javascript:alert(document.domain)"
}
uploading that package.json to a repository will make the link like this:
This project manages its dependencies using
<strong>npm</strong>
and defines a private package named
<strong><a target="_blank" rel="noopener noreferrer" href="javascript:alert(document.domain)">axx</a></strong>.
And will run when clicked on:
The vulnerable part is here:
https://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/models/blob_viewer/package_json.rb#L24
As you see, there's no verification that the URL is a https?://
-value, and the attacker is able to set it into a javascript-URI.
Mitigation
Make sure that the homepage is only used if it begins with https?://
.
Impact
The stored XSS is triggering for anyone, also triggering on gitlab.com, and it can trigger on public repos. You could easily build a PoC that would modify the email address of the current user or stealing their CSRF-token as soon as the script triggers, or try stealing information about the user's other private repositories.
Regards, Frans