Skip to content

Arbitrary GFM references rendered in Incident Timeline Events leak private/confidential resources

HackerOne report #1652853 by yvvdwf on 2022-07-28, assigned to @ngeorge1:

Report | Attachments | How To Reproduce

Report

Hi,

Gitlab recently introduced Incident Timeline events feature. The events' description is generated using TimelineEventPipeline pipeline which allows the following filters:

def self.filters  
  [@]filters ||= FilterArray[  
    *super,  
    Filter::SanitizationFilter,  
    *Banzai::Pipeline::GfmPipeline.reference_filters,  
    Filter::EmojiFilter,  
    Filter::ExternalLinkFilter,  
    Filter::ImageLinkFilter  
  ]  
end

The reference_filters filters expand any references. Consequently when the description of a timeline event references to private or confidential resources, it will render their titles.

Normally these private/confidential resources are redacted when rendering to non-permission users. Somehow this redaction is not used in the incident timeline event.

Steps to reproduce:

As a normal user (victim):

  • create a private project, let's call victim/project-a, then create a confidential issue inside. It's GFM reference is now victim/project-a#1

As an attacker:

  • In an existing project or create a new one
  • Go to Monitor/Incidents and create an incident
  • Open Timeline tab of the incident you've created. Then create a new timeline event and reference the issue above: fill victim/project-a#1 in the Timeline text
  • You should see now the issue's title is rendered in the description of the event

Example

I tested on gitlab.com. I used gitlab-org/gitlab#367408 as payload which is used to track one my previous H1 report.
The example is available in this private project: https://gitlab.com/yvvdwf/xss/-/issues/12

Screenshot_2022-07-28_at_15.20.03.png

Impact

This vulnerability allows to renders all GFM references, such as, merged requests, issues, etc, even if they are private or confidential.

For example, attackers can simply scan through all issue numbers (starting from 1) of the gitlab-org/gitlab project, and thus leaking their titles.

Best regards,
yvvdwf

Impact

This vulnerability allows attacker to access to all private or confidential GFM references, such as, merged requests, issues, etc.

For example, attackers can simply scan through all issue numbers (starting from 1) of the gitlab-org/gitlab project, and thus leaking their titles.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: