XSS in all areas that accept markdown
HackerOne report #633942 by
samuelmortenson on 2019-07-02, assigned to
Gitlab issue descriptions and other areas that accept markdown like
.md files in repositories are vulnerable to cross site scripting.
Steps to reproduce
- Visit any area in Gitlab that accepts markdown (easiest for me is the new issue form)
- Copy the code from this gist exactly into the markdown textarea: https://gist.github.com/mortenson/55c60006e336c3c4327d62365fcf04d4
- Click "Preview", or submit the form and load the subsequent page
- See XSS triggered
I verified that this is exploitable on Gitlab.com, and locally in my instance of Gitlab CE.
I created a private project on Gitlab with an issue that triggers XSS: https://gitlab.com/mortenson/test/issues/1
What is the current bug behavior?
When this specially crafted string is rendered by Gitlab, it results in this output:
<img src="o.O" onerror="alert(`samwashere`)">
Which immediately triggers the
onerror code on page load.
What is the expected correct behavior?
onerror attribute (and any attribute that starts with
on) should be stripped before HTML is rendered. I wonder if
iframe tags should be allowed as well.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
For my local Gitlab CE instance:
$ docker exec 34dd265dab84 gitlab-rake gitlab:env:info System information System: Current User: git Using RVM: no Ruby Version: 2.6.3p62 Gem Version: 2.7.9 Bundler Version:1.17.3 Rake Version: 12.3.2 Redis Version: 3.2.12 Git Version: 2.21.0 Sidekiq Version:5.2.7 Go Version: unknown GitLab information Version: 12.0.2 Revision: 1a9fd38a4ca Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 10.7 URL: http://gitlab.example.com HTTP Clone URL: http://gitlab.example.com/some-group/some-project.git SSH Clone URL: email@example.com:some-group/some-project.git Using LDAP: no Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 9.3.0 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git
Any that is feasible with XSS - data loss, forwarding of private information, potentially user session hijacking, phishing to get the user to re-enter their password, etc.
Security issue: https://dev.gitlab.org/gitlab/gitlabhq/issues/2896