Issue any http requests when users view an openapi document and click on buttons (#362509) · Issues · GitLab.org / GitLab

Issue any http requests when users view an openapi document and click on buttons

**[HackerOne report #1563383](https://hackerone.com/reports/1563383)** by `yvvdwf` on 2022-05-09, assigned to @kmorrison1: [Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce) ## Report ##### Summary Hello, The santization of a swagger openapi viewer does not exclude `form` tag. Consequently attackers may introduce a `form` which allows to send arbitrary POST requests to the server. PUT, DELETE, PATH requests can be achieved by setting value of`_method` field. ##### Steps to reproduce 1. In an existing project or create a new one, add a file, `openapi-form.yml` (you can change the basename but it needs to contain `openapi` word and the `.yml` extension is important) with the following content: ```yaml openapi: 3.0.0 info: title: Sample API servers: - url: /api/v4 paths: /users/5212593: put: description: Click `Try it out` then `Execute` buttons to get bounty. operationId: api parameters: - name: admin value: true ``` 2. After committing the file, view it and click on `Try it out` then `Execute` buttons. You will see a POST request to `/api/v4/users/5212593`. This is an example to escalate my account as Admin. ##### Impact Attackers may trick users to perform unattended actions, such as (1) add attackers to Admin or a private group, (2) add attackers' SSH key, etc. ##### Examples This example is in private mode, please tell me if you cannot access: https://gitlab.com/yvvdwf/xss/-/blob/master/openapi-form.yml#/default/api ##### What is the current *bug* behavior? The sanitization does not exclude `form` tag ##### What is the expected *correct* behavior? The `form` tag should be excluded ##### Output of checks This bug happens on GitLab.com #### Impact Attackers may trick users to perform unattended actions, such as (1) add attackers to Admin or a private group, (2) add attackers' SSH key, etc. ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [Screenshot_2022-05-09_at_13.45.59.png](https://h1.sec.gitlab.net/a/b082561f-6380-4e9c-8c39-f4a322880f33/Screenshot_2022-05-09_at_13.45.59.png) ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues

issue