Skip to content

Escape Snowplow asset url to prevent XSS Header Injection

Joseph Wambua requested to merge jj-382599-AMS-21035-jira-xss-header-injection into master

What does this MR do and why?

As described in https://gitlab.com/gitlab-org/gitlab/-/issues/382599+, we need to ensure that an X-Forwarded-Host header cannot be manually added to requests to gitlab, as this can result introduce a vulnerability to execute JavaScript via XSS.

Fixes https://gitlab.com/gitlab-org/gitlab/-/issues/382599

Screenshots or screen recordings

Before After
image image

How to set up and validate locally

To demonstrate this problem and fix locally, I followed these steps (on Google Chrome):

(These steps assume that the local test is accessible at http://gdk.test:3000)

Before

  1. Install the ModHeader extension
  2. Enable Snowplow tracking following the docs
  3. Add an X-Forwarded-Host header to Request headers with the value (e.g.):
    • gdk.test:3000/assets/snowplow/sp-871a2a8782c3dbf48f9f2bcc8642417934befe14cbfd7922f7e80e90d4cfe8f9.js"+eval(alert(1))));</script>
  4. With the gdk running on the master branch, navigate to http://gdk.test:3000/explore
  5. A JavaScript alert should pop up, triggered by the JS injected in Step 2.

note: It might be needed to allow the host, update the development.rb with the URL matching the one in step 3:

  • config.hosts << 'gdk.test:3000/assets/snowplow/sp-871a2a8782c3dbf48f9f2bcc8642417934befe14cbfd7922f7e80e90d4cfe8f9.js"+eval(alert(1))));</script>'

After

  1. Switch the GDK to the jj-382599-AMS-21035-jira-xss-header-injection branch with the fix
  2. Navigate to http://gdk.test:3000/explore
  3. The JavaScript alert should not be triggered

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Bojan Marjanovic

Merge request reports