Stored XSS in pipeline-tooltip when using .gitlab-ci.yml file with payload as yaml-topic with scripts
Link: https://hackerone.com/reports/365172
By: @fransrosen
Details: Hi,
By using the following .gitlab-ci.yml
in your project:
---
"<img src=x onerror=alert(document.domain)>":
script:
- "echo \"hej\""
Then committing anything to the repository, the tooltip of the job inside the CI/CD pipeline will not be properly sanitized:
This also happens when viewing the specific pipeline-job:
PoC
To reproduce, create a new repository. Create the following file in the master-branch, called .gitlab-ci.yml
:
---
"<img src=x onerror=alert(document.domain)>":
script:
- "echo \"hej\""
Commit the file, then go to CI/CD Pipelines. Hover the task and the javascript should execute.
You can also click the task and hover the pipeline inside the jobs-view for the same result.
Impact
The stored XSS is triggering for anyone, also triggering on gitlab.com, and it can trigger on public repos. You could easily build a PoC that would modify the email address of the current user or stealing their CSRF-token as soon as the script triggers, or try stealing information about the user's other private repositories.
Regards, Frans Rosén
2018-06-12 22:52:35 +0000: @fransrosen (comment) Same thing in the tooltip of the stage-viewer: