ESCALATED: Gitlab.com afflicted by markdown bug
HackerOne report #651964 by 0-1
on 2019-07-20, assigned to hackerjuan
:
Summary
Image URLs in Markdown are not properly validated by your server, thus allowing an attacker to point the url anywhere resulting in a same-origin GET request with cookies. If pointed to the logout url, it will result in the user's inability to perform any authenticated action on the page. This afflicts various areas of the website, one of which is "issues" of a project.
note: This will permanently afflict them, even logging in through a new tab and going back to submit the previous action does not resolve the issue(I assume the csrf token becomes invalidated?).
Steps to reproduce
As this afflicts various areas of the website, I decided to use "Issues" as an example.
1)Go to any project and select Issues.
2)Comment this on any open issue:
![look at my cute kitty](https://gitlab.com/users/sign_out?nav_source=navbar)
3)Try to do any action that requires authentication, e.g. add a comment.
For HackerOne staff so they can easily verify:
1)Go to https://gitlab.com/snippets/new
2)Put this in description:
![look at my cute kitty](https://gitlab.com/users/sign_out?nav_source=navbar)
3)Keep the visibility private, because if you select public then any user exploring snippets will be hit.
4)Create the snippet(do not preview!).
5)Try to do any action on that page that requires authentication(e.g. add a comment) or refresh the page.
Examples
https://gitlab.com/vilegreed/test1/issues/2
note to HackerOne/GitLab team: project is private so users don't accidentally trigger the bug.
What is the current bug behavior?
DoS
What is the expected correct behavior?
Only allowing URLs with actual images to be embedded.
Relevant logs and/or screenshots
N/A
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
N/A
Impact
A user will be forcefully logged out of his/her session. They will be unable to perform any actions on that page that required them to be logged in. They cannot refresh the page(it will redirect them back to the page where the exploit is on), because when they login again, they'll be logged out. Opening a new tab and logging in does not allow them to submit any actions on the previous tab.
This bug afflicts the following parts of the GitLab website:
Project Issues -> An attacker can comment on an existing issue, forcefully preventing any action on that page. That includes, but is not limited to:
- Commenting.
- Closing the issue.
- Creating a merge request (imagine if the issue is trying to resolve a vulnerability in the project, the owner will be unable to merge it into the master branch).
Snippets -> you can create a snippet with public permissions and anyone who clicks on your snippet at https://gitlab.com/explore/snippets will be affected. If you comment on a snippet, anyone who views that snippet will be logged out.
An attacker could also comment on every single snippet in the feed, maximizing the chaos.
Everywhere else Markdown is supported.