Cross-site scripting in "Maximum page reached" page affecting self-hosted instances running without strict CSP
HackerOne report #1728015 by ryotak
on 2022-10-10, assigned to @cmaxim:
Report | Attachments | How To Reproduce
Report
Summary
Due to the use of non-filtered params
in the Maximum page reached
page, an attacker can execute arbitrary JavaScript on the self-hosted instances running without strict CSP.
Description
In app/views/explore/projects/page_out_of_bounds.html.haml
, the following code is used to generate a link to return to the explore page.
app/views/explore/projects/page_out_of_bounds.html.haml
line 21
= link_to _("Back to page %{number}") % { number: [@]max_page_number }, request.params.merge(page: [@]max_page_number), class: 'gl-button btn btn-inverted'
As request.params
instead of safe_params
is used to pass parameters to link_to
, arbitrary parameters can be passed here.
Since link_to
supports parameters such as protocol
or host
, it's possible to inject javascript:
URLs and achieves XSS.
Steps to reproduce
Self-hosted instance (with an alert)
- Set up your own GitLab instance.
- Open https://YOUR_OWN_INSTANCE/explore/projects?page=51&protocol=javascript&host=%250dalert(document.domain)//
- Click
Back to page 50
- Confirm that
alert(document.domain)
has been executed.
GitLab.com (with a CSP error message)
- Open https://gitlab.com/explore/projects?page=51&protocol=javascript&host=%250dalert(document.domain)//
- Open DevTools.
- Click
Back to page 50
. - Confirm that CSP prevented the execution of JavaScript.
Examples
https://gitlab.com/explore/projects?page=51&protocol=javascript&host=%250dalert(document.domain)//
What is the current bug behavior?
request.params
is used, which may include dangerous parameters.
What is the expected correct behavior?
safe_params
should be used to filter the dangerous parameters.
Relevant logs and/or screenshots
Results of GitLab environment info
System information
System: Ubuntu 20.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.7.5p203
Gem Version: 3.1.6
Bundler Version:2.3.15
Rake Version: 13.0.6
Redis Version: 6.2.7
Sidekiq Version:6.4.2
Go Version: unknown
GitLab information
Version: 15.4.1-ee
Revision: 7b2ed8f038f
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 13.6
URL: https://gl.ryotak.me
HTTP Clone URL: https://gl.ryotak.me/some-group/some-project.git
SSH Clone URL: git@gl.ryotak.me:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 14.10.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Impact
An attacker can execute arbitrary JavaScript on the victim's browser and do any actions on behalf of the user.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: