Introduction

Security vulnerabilities often hide in the smallest implementation details. One such critical flaw was uncovered by security researcher vakzz who discovered a Stored Cross-Site Scripting (XSS) vulnerability in GitLab’s markdown rendering engine via the DesignReferenceFilter.

This vulnerability not only bypassed GitLab’s Content Security Policy (CSP) but also allowed attackers to inject arbitrary JavaScript anywhere markdown was processed such as issues comments and more.

For responsibly disclosing this high impact bug GitLab awarded a $16,000 bounty under report ID #1212067.

Let’s dive into how this vulnerability worked its potential impact and how other bug hunters can approach finding similar issues.

The Vulnerability: Breaking Out of Attributes via Filename Injection

GitLab allows users to upload design files (like images) that can be referenced in issues via markdown links. When rendering markdown GitLab uses a filter called DesignReferenceFilter to parse these references.

Under the hood a regex pattern was used to match filenames:

valid_char = %r{[^/\s]} #…