Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #211949
Closed
Open
Issue created Mar 20, 2020 by GitLab SecurityBot@gitlab-securitybotReporter

Send arbitrary PUT requests when user clicks on a link

HackerOne report #824689 by yvvdwf on 2020-03-19, assigned to @jeremymatos:

Dear teams,

Summary

Mermaid allows users to set class name of a block. This ability becomes vulnerable in Gitlab issues because of issue.js#L90:

    return $(document).on(  
      'click',  
      '.js-issuable-actions a.btn-close, .js-issuable-actions a.btn-reopen',  
      e => {  
...  
       const $button = $(e.currentTarget);  
...  
        const url = $button.attr('href');  
        return axios  
          .put(url)  
          .then(({ data }) => {  
...  

Steps to reproduce

  1. Create any issue
  2. Enter the following payload as the description of the issue:
```mermaid  
graph TD;  
 A[Click to send a PUT request];  
 class A js-issuable-actions;  
 class A btn-close;  
 click A "./put-destination" "click to PUT"  

After saving the issue, if you click on the block Click to send a PUT request, a PUT request will be sent to ./put-destination

Impact

Since attacker can control ./put-destination, he can theoretically can perform any PUT requests on behalf of the current user.
For example, attacker can use the following url to update the description of issue #2 (closed):

/api/v4/projects/16210710/issues/2?description=a

Examples

An example is available here: https://gitlab.com/yvvdwf/xss/-/issues/1 (it is private, pls let me know if you cannot access it)

Output of checks

This bug happens on GitLab.com

Impact

When received click of user, attacker may perform arbitrary PUT requests of the behalf of the user

Assignee
Assign to
Time tracking