Add <a href=> into our name and bypass "//" being used in URL to create a valid URL + custom image on snippets
HackerOne report #460224 by zseano on 2018-12-11:
Summary: For some reason GitLab allow for certain HTML tags in our name which renders when we visit a snippet. Using this we can actually trick the user into visiting our URL when they click our username.
Description: When setting your name, using <a href=x> will render a valid link, except using <a href=https://www.evilsite.com/>hi</a> will not work. However if we use <a href=https:\evilsite.com>notsean</a>, it allows it through and we get this result. The use of \
is important since /
is filtered.
If a user is to click onto my name to visit my profile, they will actually be redirected to my site instead. To see it in action, visit https://gitlab.com/snippets/1788795
and check out my comment from my account @notsean, hover over my profile and you'll see it redirects to evilsite.com
We can then be a bit more clever and add an image icon, add the "title" attribute, and we can build a perfect phisher to either harvest their credentials, OR redirect to a GitLab Oauth application and gain access via that (users are more likely to just click ALLOW, especially if they think they will get some VIP upgrade.. :D)
Steps To Reproduce:
(Add details for how we can reproduce the issue)
- Visit your GitLab account settings and set your name to
<a href=http:\\evilsite.com>notsean <img src="https:\\www.bugbountynotes.com\assets\img\vip.png" title="VIP User"></a>
- Replace notsean with your username to look real. - Go comment on a snippet and people will see a 'VIP' badge next to your name, hover over it will show 'VIP User', and clicking it will redirect to our site. The perfect scenario for an attacker! :)
Impact
Add custom HTML to our name and trick user into handing over their credentials or giving us access to their gitlab account via a rogue application designed to look like it will get them a "VIP" upgrade (this is jsut an example)
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
Testing Activity
- Test that the user name is rendering the html name but as text and not as html
Security Testing Activity
- Test that names are rendered safely
MR Breakdown
- In https://gitlab.com/gitlab-org/gitlab/blob/master/app/views/shared/notes/_note.html.haml#L35 we call the method
sanitize
to clean the user name. Nevertheless, that method ends up callinghtml_safe
. Therefore, if thea
attribute is allowed, the user name will be rendered as html.
We can easily fix by replacing the method sanitize
with simple_sanitize
. Nevertheless, this method removes all html tags from the name. To be compliant with other parts of the platform, we shouldn't do this. In other features, we just render the user name without removing any data, just showing it as text instead of as HTML.
- The fix will pass by removing the call to
sanitize
in that line, and just show the user name directly as text.
- The rendering of the user's name can be modified to not call html_safe, which will fix the rendering of any existing malicious user names