Generic command Injections
HackerOne report #1059557 by yvvdwf
on 2020-12-15, assigned to @rchan-gitlab:
Report
Hello,
The descriptions of Feature flags are not sanitized enough. It currently use Dompurify
to allow only <strong>
tag and all DOM attributes of this tag. This allows attackers to introduce any DOM attributes and when combining with other existing javascript functions on gitlab, attackers might trick victims to do any PUT requests.
The following attack scenario allows setting a normal account as administrator.
Steps to reproduce
as Attackers
- In any existing project, or create a new project, go to
Operations/Feature Flags
, clickNew feature flag
button. - Fill the form in
New feature flag
as the following:
- Name:
XSS
(or anything, it is not important) - Description:
<strong style="position:absolute;top:0;left:0;right:0;bottom:0;z-index:99999" data-url="/api/v4/users/USER_ID?admin=true" class=js-usage-consent-action>
. In the url above, please replaceUSER_ID
by your user ID that is existing in your gitlab instance. - Click
Create feature flag
to save the flag
as Admin
- Go to
Admin area/Monitoring/Audit log
. After opening theAudit log
, you might notice that there exists a transparent layer on the topmost. That layer intercept any click events. - Click anywhere (to set the attacker as administrator)
Impact
Attackers might use this vulnerable to escalate permission.
What is the current bug behavior?
The descriptions of feature flags are not sanitized correctly.
What is the expected correct behavior?
Any DOM attributes of <strong>
tags in the description of feature flags should be eliminated.
Output of checks
Results of GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info
)
System information
System: Ubuntu 18.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.7.2p137
Gem Version: 3.1.4
Bundler Version:2.1.4
Rake Version: 13.0.1
Redis Version: 5.0.9
Git Version: 2.29.0
Sidekiq Version:5.2.9
Go Version: unknown
GitLab information
Version: 13.6.0-ee
Revision: c050e8fb184
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 11.9
URL: http://gl.local
HTTP Clone URL: http://gl.local/some-group/some-project.git
SSH Clone URL: git@gl.local:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 13.13.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Impact
Attackers might use this vulnerable to escalate permission.
How To Reproduce
Please add reproducibility information to this section: