Stored XSS via Zoom meeting url on project import
HackerOne report #832117 by vakzz
on 2020-03-26, assigned to @rchan-gitlab:
Summary
When importing a project that has an issue with a zoom meeting, the ZoomUrlValidator
only checks to see if the url
fields contains a valid url not that the whole field is a valid url. This allows a url such as javascript:alert(document.domain);//https://zoom.us/my/5556
to pass the validation and to be set as the href
of the Join Zoom meeting
link.
class ZoomUrlValidator < ActiveModel::EachValidator
def validate_each(record, attribute, value)
return if Gitlab::ZoomLinkExtractor.new(value).links.size == 1
record.errors.add(:url, 'must contain one valid Zoom URL')
end
end
class ZoomLinkExtractor
ZOOM_REGEXP = %r{https://(?:[\w-]+\.)?zoom\.us/(?:s|j|my)/\S+}.freeze
def initialize(text)
[@]text = text.to_s
end
def links
[@]text.scan(ZOOM_REGEXP)
end
def match?
ZOOM_REGEXP.match?([@]text)
end
end
Steps to reproduce
- Create a new project
- Add an issue
- Add a comment with
/zoom https://zoom.us/my/5556
to add a zoom meeting - Export the project
- Change the
url
attribute of the zoom meeting inproject.json
to bejavascript:alert(document.domain);//https://zoom.us/my/5556"
- Import the project
- Command/Control clicking the
Join zoom meeting
button will trigger the payload in Chrome/Firefox or a regular left click in Safari/Edge
Demo
zoom-xss.mp4
Examples
This also happens on gitlab.com but is blocked due to the CSP
https://gitlab.com https://gitlab.com/vakzz-h1/zoom_xss/-/issues/1
What is the current bug behavior?
The url of a ZoomMeeting
can be anything so long as it contains a valid zoom link somewhere inside it.
What is the expected correct behavior?
The url of a ZoomMeeting
should be a valid zoom url.
Output of checks
Results of GitLab environment info
System information
System: Ubuntu 18.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.6.5p114
Gem Version: 2.7.10
Bundler Version:1.17.3
Rake Version: 12.3.3
Redis Version: 5.0.7
Git Version: 2.24.1
Sidekiq Version:5.2.7
Go Version: unknown
GitLab information
Version: 12.8.7-ee
Revision: 2643fd87200
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 10.12
URL: http://gitlab-vm.local
HTTP Clone URL: http://gitlab-vm.local/some-group/some-project.git
SSH Clone URL: git@gitlab-vm.local:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 11.0.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Impact
If a user clicks the link then the attacker could execute requests on behalf of the user
Attachments
Warning: Attachments received through HackerOne, please exercise caution!