Stored XSS via autocomplete results in rich text editor
HackerOne report #2404710 by yvvdwf
on 2024-03-06, assigned to @cmaxim:
Report | Attachments | How To Reproduce
Report
Hello,
Recently Gitlab improved autocomplete results in rich text editor:
//https://gitlab.com/gitlab-org/gitlab/-/blob/3617b242c79d080dc3757c2defb5574170566051/app/assets/javascripts/content_editor/components/suggestions_dropdown.vue#L236-244
highlight(text) {
return this.query
? String(text).replace(
new RegExp(this.query, 'i'),
(match) => `<strong class="gl-text-body!">${match}</strong>`,
)
: text;
},
Although the results are then rendered via v-safe-html
but attacker can inject some DOM attributes, such as, class
attribute that can be exploited to execute arbitrary javascript at the client side.
Reproduction
As attacker:
- create a public snippet with a json file
alert.json
containing{"html":"<script>alert(document.domain)</script>"}
, then open the raw version and make note of the path, for example:https://gitlab.com/-/snippets/3683972/raw/main/alert.json
- create a new project and add a new issue within the following title:
test issue <i class=inline-parallel-buttons><a href=/-/snippets/3683972/raw/main/alert style="position:fixed;transform:translate3d(-2000px,-5000px,0px);width:10000px;height:20000px">
Note: replace the url in href
by the path to your json file noted above with the following modification:
- no
https://gitlab.com
prefix - no
.json
suffix
As victim:
go in the project, modify a file, then create a new merge request:
- click
Changes
to open a diff view - click
Switch to rich text editing
if you are inplain text editing
mode - in
Description
, enter#
character to get suggestion results of the project's issue. Once the suggestion list appears, you might notice a transparent layer on the topmost. Click anywhere to trigger XSS.
Note:
PR:L
as attackers need only permission to create a public snippet and an issue inside victim's project. An issue can be also created via Service Desk
which is enabled by default for any project. If so, attacks can even create an issue on a private project.
Impact:
XSS with CSP bypassed allows attackers to perform arbitrary actions on behalf of victims
Best,
yvvdwf
Impact
XSS with CSP bypassed allows attackers to perform arbitrary actions on behalf of victims
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: