Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Gitlab does some crazy shenanigans for their Markdown engine. One of these changes is the ability to inline Mermaid, which is a chart render in Markdown.

Mermaid supports HTML labels when using flowcharts. However, this is only possible with specific configurations that Gitlab does not have. Namely, the the securityLevel configuration cannot be strict. If we could get HTML into this, we could likely take this to XSS.

Mermaid supports the adding of directives, which can change the configurations. For obvious security reasons, several of these cannot be changed: secure and securityLevel are the two important ones to note here. By passing in flowchart.htmlLabels as the string "false" (not the boolean), we can bypass this allowlist since the string is being evaluated for existence instead of a boolean. We use "false" to get it through the allowlist.

Since flowchart.htmlLabels is set to some value, we can get the variable controlling it set to true. With this, the labels will now render the HTML directly, resulting in the injecting of HTML. But, what about JavaScript?

The page has a fairly strict CSP. Because the page uses nonces for inline scripts, injecting it via this is not possible. In order to bypass this, the author calls Workhorse (which serves pipeline artifacts) with an auto-detected Content-Type. Since the JS is now on the Gitlab domain, it believes that this JavaScript code is coming from the same domain as the page. This satisfies the CSP.

With the JavaScript code on the Gitlab domain, we insert directly into the DOM whatever we want. innerHTML does not accept <script> tags. Instead, we pass the script directly into an iframe srcdoc to get XSS on the page.

The triage report for this is super interesting. The author makes a few notes on how Gitlab should remediate this. First, they mention that Gitlab should add another item to the denylist for the flowchart.htmlLabels directive, which would prevent this attack. Secondly, they should not allow for potentially malicious Content-Types from the Workhouse. Finally, they mention that HTMLlabels should not be possible anyway.

The bug finder mentions that a lot of the security related code for Mermaid is quite broken. For instance, the anti-script settings should block all script execution. But, the author found multiple ways around this quickly, not even including the bug mentioned above. In reality, the project could use an upgrade on the code quality.