Stored XSS in repository file viewer
HackerOne report #1072868 by kannthu
on 2021-01-06, assigned to @cmaxim:
Report | Attachments | How To Reproduce
Report
Summary
There exists XSS in swagger-ui version used in GitLab open API viewer. The XSS exists due to the old version of DOMpurify used in swagger-ui that allows an attacker can inject any HTML elements with any attributes (except script tag) on the page.
The XSS in POC requires 1 click anywhere on the page to execute, because of CSP that does not allow to execute events from HTML tags. (f.e. <img src=1 onerror=alert(1)). I will try to find CSP bypass that will allow me to execute the script with no user interaction.
My script uses the CSP bypass presented in #213273 (closed)
<a
data-remote="true"
data-method="get"
data-type="script"
href="/wbowling/wiki/raw/master/test.js"
class='atwho-view select2-drop-mask pika-select'>
</a>
Steps to reproduce
- Go to https://gitlab.com/kannthu/asdasdas123/-/blob/master/openapi.yaml (tested on Chrome and Firefox)
- Click anywhere on the page
- You should see the alert box
There is another way of executing this XSS. You can add "url=https://gitlab.com/kannthu/asdasdas123/-/raw/master/openapi.yaml" parameter to the URL of any open API file in any repository, and the XSS will still work.
- Open https://gitlab.com/gitlab-org/build/omnibus-mirror/alertmanager/blob/master/api/v2/openapi.yaml?url=https://gitlab.com/kannthu/asdasdas123/-/raw/master/openapi.yaml
- Click anywhere on the page
- You should see the alert box
Impact
The stored XSS is triggering for any user that opens the page and clicks anywhere on the page. The PoC can easily be extended to steal the user's CSRF token and to take over the victim's account.
Examples
- https://gitlab.com/kannthu/asdasdas123/-/blob/master/openapi.yaml
- https://gitlab.com/gitlab-org/build/omnibus-mirror/alertmanager/blob/master/api/v2/openapi.yaml?url=https://gitlab.com/kannthu/asdasdas123/-/raw/master/openapi.yaml
What is the current bug behavior?
Gitlab uses an old version of swagger-ui.
What is the expected correct behavior?
Gitlab should use the newest version of swagger-ui.
Relevant logs and/or screenshots
Screenshot_2021-01-06_at_17.47.53.png
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Impact
The stored XSS is triggering for any user that opens the page and clicks anywhere on the page. An attacker can render anything on that page - malicious form to steal the user's login and password, or simply get the user's CSRF token and to take over the victim's account.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: