Clipboard based XSS in the title field of work items
HackerOne report #1767745 by ryotak on 2022-11-09, assigned to GitLab Team:
Report | Attachments | How To Reproduce
Report
Summary
Due to the improper handling of the clipboard contents in the title field of work items, an attacker is able to insert a malicious HTML element that triggers the execution of JavaScript.
Please refer to #1196958 for a similar report and discussions about this vulnerability type.
Description
In the work/items/components/item_title.vue component of GitLab, the contenteditable attribute is specified.
app/assets/javascripts/work_items/components/item_title.vue line 42-59
<span
id="item-title"
ref="titleEl"
role="textbox"
:aria-label="__('Title')"
:data-placeholder="placeholder"
:contenteditable="!disabled"
class="gl-px-4 gl-py-3 gl-ml-n4 gl-border gl-border-white gl-rounded-base gl-display-block"
:class="{ 'gl-hover-border-gray-200 gl-pseudo-placeholder': !disabled }"
[@]blur="handleBlur"
[@]keyup="handleInput"
[@]keydown.enter.exact="handleSubmit"
[@]keydown.ctrl.u.prevent
[@]keydown.meta.u.prevent
[@]keydown.ctrl.b.prevent
[@]keydown.meta.b.prevent
>{{ title }}</span
> Since this attribute allows data- attributes while pasting the HTML contents, malicious clipboard contents can insert arbitrary data- attributes including data-method or data-url.
Since ActionView uses data- attribute to control the behavior of HTML elements, and this feature has an XSS, malicious HTML contents with a data-method attribute can execute arbitrary JavaScript on GitLab.
actionview/app/javascript/rails-ujs/features/method.js line 9-16
const method = link.getAttribute("data-method")
if (!method) { return }
const href = rails.href(link)
const csrfToken = csrf.csrfToken()
const csrfParam = csrf.csrfParam()
const form = document.createElement("form")
let formContent = `<input name='_method' value='${method}' type='hidden' />` e.clipboardData.setData('text/html', `<a href="#" data-method="'><img src onerror=alert(document.domain)>">Click me</a>`); Steps to reproduce
- Set up your own GitLab instance.
- Log in to the GitLab instance.
- Create a project.
- Append
/-/work_items/newto the end of the project path. (e.g.https://{GITLAB_INSTANCE}/{USERNAME}/{PROJECT_NAME}/-/work_items/new) - Download
- Open in the browser
- Click
Copy - Paste it to the title field of the page that you opened in step 4.
- Click
Click me - Confirm that
alert(document.domain)is executed.
What is the current bug behavior?
A malicious clipboard content is able to inject an HTML element with an XSS payload.
What is the expected correct behavior?
GitLab shouldn't allow the injection of a malicious HTML element.
Results of GitLab environment info
System information
System: Ubuntu 20.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.7.5p203
Gem Version: 3.1.6
Bundler Version:2.3.15
Rake Version: 13.0.6
Redis Version: 6.2.7
Sidekiq Version:6.4.2
Go Version: unknown
GitLab information
Version: 15.5.3-ee
Revision: 48f51d8b0c3
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 13.6
URL: https://gl.ryotak.me
HTTP Clone URL: https://gl.ryotak.me/some-group/some-project.git
SSH Clone URL: git@gl.ryotak.me:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 14.12.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Impact
An attacker can execute arbitrary JavaScript on the victim's browser and do any actions on behalf of the user.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: