Skip to content

Stored XSS via Zoom meeting url on project import

HackerOne report #832117 by vakzz on 2020-03-26, assigned to @rchan-gitlab:

Summary

When importing a project that has an issue with a zoom meeting, the ZoomUrlValidator only checks to see if the url fields contains a valid url not that the whole field is a valid url. This allows a url such as javascript:alert(document.domain);//https://zoom.us/my/5556 to pass the validation and to be set as the href of the Join Zoom meeting link.

class ZoomUrlValidator < ActiveModel::EachValidator  
  def validate_each(record, attribute, value)  
    return if Gitlab::ZoomLinkExtractor.new(value).links.size == 1

    record.errors.add(:url, 'must contain one valid Zoom URL')  
  end  
end

class ZoomLinkExtractor  
  ZOOM_REGEXP = %r{https://(?:[\w-]+\.)?zoom\.us/(?:s|j|my)/\S+}.freeze

  def initialize(text)  
    [@]text = text.to_s  
  end

  def links  
    [@]text.scan(ZOOM_REGEXP)  
  end

  def match?  
    ZOOM_REGEXP.match?([@]text)  
  end  
end

Steps to reproduce

  1. Create a new project
  2. Add an issue
  3. Add a comment with /zoom https://zoom.us/my/5556 to add a zoom meeting
  4. Export the project
  5. Change the url attribute of the zoom meeting in project.json to be javascript:alert(document.domain);//https://zoom.us/my/5556"
  6. Import the project
  7. Command/Control clicking the Join zoom meeting button will trigger the payload in Chrome/Firefox or a regular left click in Safari/Edge

Demo
zoom-xss.mp4

Examples

This also happens on gitlab.com but is blocked due to the CSP

https://gitlab.com https://gitlab.com/vakzz-h1/zoom_xss/-/issues/1
Screen_Shot_2020-03-27_at_12.31.49_am.png

What is the current bug behavior?

The url of a ZoomMeeting can be anything so long as it contains a valid zoom link somewhere inside it.

What is the expected correct behavior?

The url of a ZoomMeeting should be a valid zoom url.

Output of checks

Results of GitLab environment info

System information  
System:		Ubuntu 18.04  
Proxy:		no  
Current User:	git  
Using RVM:	no  
Ruby Version:	2.6.5p114  
Gem Version:	2.7.10  
Bundler Version:1.17.3  
Rake Version:	12.3.3  
Redis Version:	5.0.7  
Git Version:	2.24.1  
Sidekiq Version:5.2.7  
Go Version:	unknown

GitLab information  
Version:	12.8.7-ee  
Revision:	2643fd87200  
Directory:	/opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:	PostgreSQL  
DB Version:	10.12  
URL:		http://gitlab-vm.local  
HTTP Clone URL:	http://gitlab-vm.local/some-group/some-project.git  
SSH Clone URL:	git@gitlab-vm.local:some-group/some-project.git  
Elasticsearch:	no  
Geo:		no  
Using LDAP:	no  
Using Omniauth:	yes  
Omniauth Providers:

GitLab Shell  
Version:	11.0.0  
Repository storage paths:  
- default: 	/var/opt/gitlab/git-data/repositories  
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell  
Git:		/opt/gitlab/embedded/bin/git

Impact

If a user clicks the link then the attacker could execute requests on behalf of the user

Attachments

Warning: Attachments received through HackerOne, please exercise caution!