Skip to content

Generic command Injections

HackerOne report #1059557 by yvvdwf on 2020-12-15, assigned to @rchan-gitlab:

Report | How To Reproduce

Report

Hello,

The descriptions of Feature flags are not sanitized enough. It currently use Dompurify to allow only <strong> tag and all DOM attributes of this tag. This allows attackers to introduce any DOM attributes and when combining with other existing javascript functions on gitlab, attackers might trick victims to do any PUT requests.

The following attack scenario allows setting a normal account as administrator.

Steps to reproduce

as Attackers

  1. In any existing project, or create a new project, go to Operations/Feature Flags, click New feature flag button.
  2. Fill the form in New feature flag as the following:
  • Name: XSS (or anything, it is not important)
  • Description: <strong style="position:absolute;top:0;left:0;right:0;bottom:0;z-index:99999" data-url="/api/v4/users/USER_ID?admin=true" class=js-usage-consent-action>. In the url above, please replace USER_ID by your user ID that is existing in your gitlab instance.
  • Click Create feature flag to save the flag

as Admin

  1. Go to Admin area/Monitoring/Audit log. After opening the Audit log, you might notice that there exists a transparent layer on the topmost. That layer intercept any click events.
  2. Click anywhere (to set the attacker as administrator)
Impact

Attackers might use this vulnerable to escalate permission.

What is the current bug behavior?

The descriptions of feature flags are not sanitized correctly.

What is the expected correct behavior?

Any DOM attributes of <strong> tags in the description of feature flags should be eliminated.

Output of checks
Results of GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info)

System information  
System:		Ubuntu 18.04  
Proxy:		no  
Current User:	git  
Using RVM:	no  
Ruby Version:	2.7.2p137  
Gem Version:	3.1.4  
Bundler Version:2.1.4  
Rake Version:	13.0.1  
Redis Version:	5.0.9  
Git Version:	2.29.0  
Sidekiq Version:5.2.9  
Go Version:	unknown

GitLab information  
Version:	13.6.0-ee  
Revision:	c050e8fb184  
Directory:	/opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:	PostgreSQL  
DB Version:	11.9  
URL:		http://gl.local  
HTTP Clone URL:	http://gl.local/some-group/some-project.git  
SSH Clone URL:	git@gl.local:some-group/some-project.git  
Elasticsearch:	no  
Geo:		no  
Using LDAP:	no  
Using Omniauth:	yes  
Omniauth Providers: 

GitLab Shell  
Version:	13.13.0  
Repository storage paths:  
- default: 	/var/opt/gitlab/git-data/repositories  
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell  
Git:		/opt/gitlab/embedded/bin/git

Impact

Attackers might use this vulnerable to escalate permission.

How To Reproduce

Please add reproducibility information to this section: