Skip to content

Minimize security impact from mermaid XSS

Problem

The mermaid gem is a security problem and has caused numerous XSS - https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/172

Two recent security issues

  1. #345452 (closed)
  2. #345035 (closed)

Impact

Even though these XSSes are security vulnerabilities in 3rd party library, which should be fixed upstream. We should also take considerable action to minimize its impact on gitlab.com and self hosted instances.

Ideas

  1. Render sanitized SVG
  2. Using sandboxed iframe
  3. Get rid of mermaid and move to different vendor

Note

This is a public issue

Edited by Dheeraj Joshi