Stored XSS in blob viewer
HackerOne report #806571 by yvvdwf
on 2020-02-27, assigned to @jeremymatos:
Summary
I found a Stored-XSS in blob viewer when viewing a json file.
In particular, when viewing an openapi file, openapi_viewer is called to transfer the file's data to SwaggerUIBundle to render.
SwaggerUIBundle does its job when rending graphical representation of the openapi's content. It also allows html tags and attributes in the description of the openapi. Although it removes malicious tags and attributes, but this is not enough in gitlab's context:
-
class
andstyle
attributes allow attackers to arbitrarily present their disposition. My demo below usesclass
attribute to create a transparent layer that fulfils the document to intercept any user's clics. -
data-*
attributes, under the help of jquery-ujs, allows attackers to create any requests to server when user clicking (not onlyGET
, but also,PUT
,DELETE
,HEAD
) with arbitrary parameters -
The current CSP is easily by passed by jQuery.globalEval. In my demo below, you should see an
alert
after clicking anywhere
Steps to reproduce
- In any project, create a file naming
xss-openapi.json
, then put the following content:
{
"swagger" : "2.0",
"info" : {
"description" : "<a href=https://gitlab.com/yvvdwf/data/-/wikis/alert.md data-type=script style='cursor:default' data-remote=true class='atwho-view select2-drop-mask pika-select'></a><script>alert(0)</script>"
}}
- Click anywhere on the document view, you should see an alert.
Impact
There are three impacts as in the Summary above. The most important impact is the stored-XSS allowing attackers to perform any action on behalf of users at the client side.
Examples
(This repository is in private mode, please let me know if you cannot access it)
https://gitlab.com/yvvdwf/xss/-/blob/master/xss-openapi.json
What is the current bug behavior?
Gitlab does not check the result generated by SwaggerUIBundle
What is the expected correct behavior?
Should remove any inappropriate html attributes, such as, data-*
, style
, class
.
Output of checks
This bug happens on GitLab.com
Impact
The stored-XSS allows attackers to perform any action on behalf of users at the client side.