Cross-site scripting in wiki changes page affecting self-hosted instances running without strict CSP
HackerOne report #1730461 by ryotak on 2022-10-11, assigned to GitLab Team:
Report | Attachments | How To Reproduce
Report
Summary
Due to the improper filtering of query parameters in the wiki changes page, an attacker can execute arbitrary JavaScript on the self-hosted instances running without strict CSP.
Description
In app/views/projects/diffs/_diffs.html.haml, the following code is used to generate a link to remove whitespace changes from the diff.
app/views/projects/diffs/_diffs.html.haml line 24
= toggle_whitespace_link(url_for(params_with_whitespace), class: 'd-none d-sm-inline-block') app/helpers/diff_helper.rb line 280-282
def params_with_whitespace
hide_whitespace? ? request.query_parameters.except(:w) : request.query_parameters.merge(w: 1)
end As params_with_whitespace is using request.query_parameters instead of safe_params is used to pass parameters to link_to, arbitrary parameters can be passed here.
Since link_to supports parameters such as protocol or host, it's possible to inject javascript: URLs and achieves XSS.
Steps to reproduce
Self-hosted instance (with an alert)
- Set up your own GitLab instance.
- Log in to the GitLab instance.
- Create a project.
- From the sidebar, click
Wiki. - Click
Create your first page - Fill in the contents.
- Click
Create page - Open https://YOUR_OWN_INSTANCE/USERNAME/PROJECT_NAME/-/wikis/home/diff?protocol=javascript&host=%250dalert(document.domain)//
- Click
Hide whitespace changes - Confirm that
alert(document.domain)has been executed.
GitLab.com (with a CSP error message)
- Log in to your GitLab account.
- Create a project.
- From the sidebar, click
Wiki. - Click
Create your first page - Fill in the contents.
- Click
Create page - Open https://gitlab.com/USERNAME/PROJECT_NAME/-/wikis/home/diff?protocol=javascript&host=%250dalert(document.domain)//
- Open DevTools.
- Click
Hide whitespace changes. - Confirm that CSP prevented the execution of JavaScript.
Examples
What is the current bug behavior?
request.query_parameters is used, which may include dangerous parameters.
What is the expected correct behavior?
safe_params should be used to filter the dangerous parameters.
Relevant logs and/or screenshots
Details of CVSS
Attack Vector: Network (Attacks can be performed over the internet.)
Attack Complexity: Low (Attack complexity shouldn't be affected by user interactions.)
Privileges Required: Low (An attacker needs to create a project before attacking the victim.)
User Interaction: Required (Clicks are required.)
Scope: Changed (The vulnerable component and the impacted component are different; GitLab server and the browser)
Confidentiality: High (Since an attacker can perform arbitrary actions on behalf of the user, this should be rated as High.)
Integrity: High (Same as above.)
Availability: None (Account takeover doesn't directly affect the availability.) Results of GitLab environment info
System information
System: Ubuntu 20.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.7.5p203
Gem Version: 3.1.6
Bundler Version:2.3.15
Rake Version: 13.0.6
Redis Version: 6.2.7
Sidekiq Version:6.4.2
Go Version: unknown
GitLab information
Version: 15.4.1-ee
Revision: 7b2ed8f038f
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 13.6
URL: https://gl.ryotak.me
HTTP Clone URL: https://gl.ryotak.me/some-group/some-project.git
SSH Clone URL: git@gl.ryotak.me:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 14.10.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Impact
An attacker can execute arbitrary JavaScript on the victim's browser and do any actions on behalf of the user.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: