Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #362509
Closed
Open
Issue created May 16, 2022 by GitLab SecurityBot@gitlab-securitybotReporter

Issue any http requests when users view an openapi document and click on buttons

HackerOne report #1563383 by yvvdwf on 2022-05-09, assigned to @kmorrison1:

Report | Attachments | How To Reproduce

Report

Summary

Hello,

The santization of a swagger openapi viewer does not exclude form tag. Consequently attackers may introduce a form which allows to send arbitrary POST requests to the server. PUT, DELETE, PATH requests can be achieved by setting value of_method field.

Steps to reproduce
  1. In an existing project or create a new one, add a file, openapi-form.yml (you can change the basename but it needs to contain openapi word and the .yml extension is important) with the following content:
openapi: 3.0.0  
info:  
  title: Sample API  
servers:  
  - url: /api/v4  
paths:  
  /users/5212593:  
    put:  
      description: Click `Try it out` then `Execute` buttons to get bounty.  
      operationId: api  
      parameters:  
        - name: admin  
          value: true
  1. After committing the file, view it and click on Try it out then Execute buttons. You will see a POST request to /api/v4/users/5212593. This is an example to escalate my account as Admin.
Impact

Attackers may trick users to perform unattended actions, such as (1) add attackers to Admin or a private group, (2) add attackers' SSH key, etc.

Examples

This example is in private mode, please tell me if you cannot access: https://gitlab.com/yvvdwf/xss/-/blob/master/openapi-form.yml#/default/api

What is the current bug behavior?

The sanitization does not exclude form tag

What is the expected correct behavior?

The form tag should be excluded

Output of checks

This bug happens on GitLab.com

Impact

Attackers may trick users to perform unattended actions, such as (1) add attackers to Admin or a private group, (2) add attackers' SSH key, etc.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • Screenshot_2022-05-09_at_13.45.59.png

How To Reproduce

Please add reproducibility information to this section:

Assignee
Assign to
Time tracking