Gitea markdown not sanitised (links can contain API URLs) #2134

New Issue

Closed

opened 2025-11-02 04:25:02 -06:00 by GiteaMirror · 11 comments

GiteaMirror commented 2025-11-02 04:25:02 -06:00

Owner

Copy Link

Originally created by @Siesh1oo on GitHub (Aug 2, 2018).

• Gitea version (or commit ref): 1.5.0+rc1-94-g819f50ccd
• Git version: nevermind
• Operating system: nevermind
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io: probably (currently down "bad gateway")
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

Description

Create README.md or other markdown file containing a link to some gitea API endpoint:

[I might be a misleading, yet harmless looking link. Click me to learn more](/user/logout)

Problem

API endpoints are normal GET requests, not protected by auth (normal session id used).

Markdown is rendered in normal (non-sandboxed) DOM.

Potential solutions

1. sanitize URLs (do not allow relative or absolute links to API endpoints; if so, regex search'n'replace can for example fill with zero-width/invisible unicode whitespace, or just strike it through),
2. sandbox markdown rendered DOM in iframe with sandbox attribute set (and remove session cookie from outside using JavaScript),
3. Enforce CSRF for all API endpoints.

ideally all three

Originally created by @Siesh1oo on GitHub (Aug 2, 2018). - Gitea version (or commit ref): 1.5.0+rc1-94-g819f50ccd - Git version: nevermind - Operating system: nevermind - Database (use `[x]`): - [ ] PostgreSQL - [x] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: probably (currently down "bad gateway") - [ ] Yes (provide example URL) - [ ] No - [x] Not relevant - Log gist: ## Description Create README.md or other markdown file containing a link to some gitea API endpoint: ``` [I might be a misleading, yet harmless looking link. Click me to learn more](/user/logout) ``` ## Problem API endpoints are normal GET requests, not protected by auth (normal session id used). Markdown is rendered in normal (non-sandboxed) DOM. ## Potential solutions 1. sanitize URLs (do not allow relative or absolute links to API endpoints; if so, regex search'n'replace can for example fill with zero-width/invisible unicode whitespace, or just strike it through), 2. sandbox markdown rendered DOM in iframe with sandbox attribute set (and remove session cookie from outside using JavaScript), 3. Enforce CSRF for all API endpoints. ideally all three

GiteaMirror added the topic/security label 2025-11-02 04:25:02 -06:00

GiteaMirror closed this issue 2025-11-02 04:25:02 -06:00

GiteaMirror commented 2025-11-02 04:25:03 -06:00

Author

Owner

Copy Link

@Siesh1oo commented on GitHub (Aug 2, 2018):

Addendum

Same bug for images. Note that the user does not even has to click the image, loading the page will execute the injected API code.

Testcase: create README.md containing an image with URL to API endpoint, log in, visit repository page, do something else and realise that gitea has logged you out:

![This is not an Image of Yaktocat](/user/logout)

@Siesh1oo commented on GitHub (Aug 2, 2018): ## Addendum Same bug for images. Note that the user does not even has to click the image, loading the page will execute the injected API code. Testcase: create README.md containing an image with URL to API endpoint, log in, visit repository page, do something else and realise that gitea has logged you out: ```  ```

GiteaMirror commented 2025-11-02 04:25:03 -06:00

Author

Owner

Copy Link

@lafriks commented on GitHub (Aug 2, 2018):

Yes this should be cleaned up but no harming actions can be done as GET requests are only for getting data not doing actions (except for logout url)

@lafriks commented on GitHub (Aug 2, 2018): Yes this should be cleaned up but no harming actions can be done as GET requests are only for getting data not doing actions (except for logout url)

GiteaMirror commented 2025-11-02 04:25:03 -06:00

Author

Owner

Copy Link

@Siesh1oo commented on GitHub (Aug 3, 2018):

@lafriks: Are you sure? The team/org router go suggested otherwise; logout was used above only as harmless example

@Siesh1oo commented on GitHub (Aug 3, 2018): @lafriks: Are you sure? The team/org router go suggested otherwise; logout was used above only as harmless example

GiteaMirror commented 2025-11-02 04:25:03 -06:00

Author

Owner

Copy Link

@Siesh1oo commented on GitHub (Aug 3, 2018):

Maybe some collaboration possible: https://github.com/gogs/gogs/issues/5355#issuecomment-410117204

@Siesh1oo commented on GitHub (Aug 3, 2018): Maybe some collaboration possible: https://github.com/gogs/gogs/issues/5355#issuecomment-410117204

GiteaMirror commented 2025-11-02 04:25:04 -06:00

Author

Owner

Copy Link

@Siesh1oo commented on GitHub (Aug 3, 2018):

@cezar97:

I complicated myself in trying to add this image that send a GET request in the repository's description. I should added it in the Markdown like you did 😄.

The two issues seem distinct, would need distinct fixes, if solved via sanitizing as discussed there: removing/sanitizing HTML tags from markdown wouldn't fix this one. Markdown links need special treatment unless URLs and images are completely forbidden, which is probably not desirable

@Siesh1oo commented on GitHub (Aug 3, 2018): @cezar97: > I complicated myself in trying to add this image that send a GET request in the repository's description. I should added it in the Markdown like you did 😄. The two issues seem distinct, would need distinct fixes, if solved via sanitizing as discussed there: removing/sanitizing HTML tags from markdown wouldn't fix this one. Markdown links need special treatment unless URLs and images are completely forbidden, which is probably not desirable

GiteaMirror commented 2025-11-02 04:25:04 -06:00

Author

Owner

Copy Link

@msg7086 commented on GitHub (Aug 4, 2018):

I'd say, actions that can change system states, such as logout or star, shall be POST only.

@msg7086 commented on GitHub (Aug 4, 2018): I'd say, actions that can change system states, such as logout or star, shall be POST only.

GiteaMirror commented 2025-11-02 04:25:04 -06:00

Author

Owner

Copy Link

@Siesh1oo commented on GitHub (Aug 4, 2018):

@msg7086: it‘s about the missing CSRF protection token, and that user-provided content is executed/rendered in the same DOM context as the gitea API calls.

CSRF on GET is technically possible, albeit sometimes considered bad practice (one might argue that token is a bit less exposed when passed in body instead of header).

Unfortunately it seems that the macaron CSRF checker does not support CSRF on GET (is this correct? I might be wrong here).

Sending post from simple link URL is possible via jquery $.post(...).

This could possibly be used as minimally invasive hotfix: Replace all GET API actions fav/watch/logout/org.action/etc by href="javascript:$.post(url, CSRF-token-string)", and do not accept GET anywhere in the gitea/router except for landing pages and repo-over-http.

@Siesh1oo commented on GitHub (Aug 4, 2018): @msg7086: it‘s about the missing CSRF protection token, and that user-provided content is executed/rendered in the same DOM context as the gitea API calls. CSRF on GET is technically possible, albeit sometimes considered bad practice (one might argue that token is a bit less exposed when passed in body instead of header). Unfortunately it seems that the macaron CSRF checker does not support CSRF on GET (is this correct? I might be wrong here). Sending post from simple link URL is possible via jquery $.post(...). This could possibly be used as minimally invasive hotfix: Replace all GET API actions fav/watch/logout/org.action/etc by href="javascript:$.post(url, CSRF-token-string)", and do not accept GET anywhere in the gitea/router except for landing pages and repo-over-http.

GiteaMirror commented 2025-11-02 04:25:04 -06:00

Author

Owner

Copy Link

@msg7086 commented on GitHub (Aug 4, 2018):

Thanks for pointing out. Yes CSRF is also needed in this particular case. Just that my reply was focusing on best practices about HTTP verbs (e.g. RESTful style) and not about XSS protection.

Cheers

@msg7086 commented on GitHub (Aug 4, 2018): Thanks for pointing out. Yes CSRF is also needed in this particular case. Just that my reply was focusing on best practices about HTTP verbs (e.g. RESTful style) and not about XSS protection. Cheers

GiteaMirror commented 2025-11-02 04:25:04 -06:00

Author

Owner

Copy Link

@Siesh1oo commented on GitHub (Aug 6, 2018):

@lafriks : related, with example: https://github.com/gogs/gogs/issues/5367

@Siesh1oo commented on GitHub (Aug 6, 2018): @lafriks : related, with example: https://github.com/gogs/gogs/issues/5367

GiteaMirror commented 2025-11-02 04:25:05 -06:00

Author

Owner

Copy Link

@Siesh1oo commented on GitHub (Aug 13, 2018):

One more to check, this one had affected gitlab too:

server-side request forgery (SSRF) vulnerability in migrate https://github.com/gogs/gogs/issues/5372

@Siesh1oo commented on GitHub (Aug 13, 2018): One more to check, this one had affected gitlab too: > server-side request forgery (SSRF) vulnerability in migrate https://github.com/gogs/gogs/issues/5372

GiteaMirror commented 2025-11-02 04:25:05 -06:00

Author

Owner

Copy Link

@jolheiser commented on GitHub (Mar 3, 2020):

Fixed by #10462, #10465, #10582

@jolheiser commented on GitHub (Mar 3, 2020): Fixed by #10462, #10465, #10582

GiteaMirror referenced this issue 2025-11-02 12:05:57 -06:00

[PR #2134] [MERGED] Missing signed commit display translations #16251

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label topic/security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#2134