Skip to content

Stored XSS via autocomplete results in rich text editor

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2404710 by yvvdwf on 2024-03-06, assigned to @cmaxim:

Report | Attachments | How To Reproduce

Report

Hello,

Recently Gitlab improved autocomplete results in rich text editor:

//https://gitlab.com/gitlab-org/gitlab/-/blob/3617b242c79d080dc3757c2defb5574170566051/app/assets/javascripts/content_editor/components/suggestions_dropdown.vue#L236-244      
  highlight(text) {  
      return this.query  
        ? String(text).replace(  
            new RegExp(this.query, 'i'),  
            (match) => `<strong class="gl-text-body!">${match}</strong>`,  
          )  
        : text;  
    },

Although the results are then rendered via v-safe-html but attacker can inject some DOM attributes, such as, class attribute that can be exploited to execute arbitrary javascript at the client side.

Reproduction

As attacker:

  1. create a public snippet with a json file alert.json containing {"html":"<script>alert(document.domain)</script>"}, then open the raw version and make note of the path, for example: https://gitlab.com/-/snippets/3683972/raw/main/alert.json

snippet.png

  1. create a new project and add a new issue within the following title:
test issue <i class=inline-parallel-buttons><a href=/-/snippets/3683972/raw/main/alert style="position:fixed;transform:translate3d(-2000px,-5000px,0px);width:10000px;height:20000px">

Note: replace the url in href by the path to your json file noted above with the following modification:

  • no https://gitlab.com prefix
  • no .json suffix

issue.png

As victim:

go in the project, modify a file, then create a new merge request:

merge-request.png

  1. click Changes to open a diff view
  2. click Switch to rich text editing if you are in plain text editing mode
  3. in Description, enter # character to get suggestion results of the project's issue. Once the suggestion list appears, you might notice a transparent layer on the topmost. Click anywhere to trigger XSS.

Note:

PR:L as attackers need only permission to create a public snippet and an issue inside victim's project. An issue can be also created via Service Desk which is enabled by default for any project. If so, attacks can even create an issue on a private project.

Impact:

XSS with CSP bypassed allows attackers to perform arbitrary actions on behalf of victims

Best,
yvvdwf

Impact

XSS with CSP bypassed allows attackers to perform arbitrary actions on behalf of victims

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: