Arbitrary POST request as victim user from HTML injection in Jupyter notebooks ($8690 USD)

We discussed this vulnerability during Episode 147 on 23 May 2022

Bug comes from GitLab’s use of Rails UJS (Unobtrusive JavaScript). While known data-* attributes like data-url and data-method are stripped by DOMPurify, arbitrary data-* attributes aren’t. They will be sanitized, however the problem is that GitLab has certain event handlers such as dismiss that will use endpoints for POST requests that can be influenced by some of these attributes. The dismiss event handler specifically (which is called on any element with the closeButton class) will use the dismissEndpoint for sending a POST request, which can be set via data-dismiss-endpoint. This can be combined with an output from jupyter notebook to create a button with the closeButton class that occupies the whole screen, and can abuse the GitLab API to do some sensitive action (like add an attacker account as admin).