Arbitrary POST request as victim user from HTML injection in Jupyter notebooks ($8690 USD)
Bug comes from GitLab’s use of Rails UJS (Unobtrusive JavaScript). While known data-*
attributes like data-url
and data-method
are stripped by DOMPurify, arbitrary data-*
attributes aren’t. They will be sanitized, however the problem is that GitLab has certain event handlers such as dismiss
that will use endpoints for POST requests that can be influenced by some of these attributes. The dismiss
event handler specifically (which is called on any element with the closeButton
class) will use the dismissEndpoint
for sending a POST request, which can be set via data-dismiss-endpoint
. This can be combined with an output from jupyter notebook to create a button with the closeButton
class that occupies the whole screen, and can abuse the GitLab API to do some sensitive action (like add an attacker account as admin).