Server side cross-site scripting In gogs.io/gogs
Description
Gogs has Stored XSS in .ipynb Preview
Summary
Although .ipynb previews are sanitized on the server side via /-/api/sanitize_ipynb, the inserted content is re-rendered on the client side without sanitization using marked() on elements with the .nb-markdown-cell class. During this process, links containing schemes such as javascript: can be regenerated.
As a result, when a victim views an attacker-crafted .ipynb file and clicks the link, arbitrary JavaScript is executed in the Gogs origin, leading to a click-based Stored XSS.
Details
After the rendered output of a .ipynb file is sanitized via /-/api/sanitize_ipynb and inserted into the DOM, only the Markdown cell portions are re-rendered using marked() and overwritten in the DOM. During this process, links with the javascript: scheme can be regenerated.
templates/repo/view_file.tmpl:42–71
{{else if .IsIPythonNotebook}} <script> $.getJSON("{{.RawFileLink}}", null, function(notebook_json) { var notebook = nb.parse(notebook_json); var rendered = notebook.render(); $.ajax({ type: "POST", url: '{{AppSubURL}}/-/api/sanitize_ipynb',...
While regular HTML pages (including .ipynb preview pages) are served without a Content Security Policy (CSP), CSP headers are applied only to attachment delivery routes.
internal/cmd/web.go:323
c.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
Steps to Reproduce
As the attacker, add and push/commit a .ipynb file containing a javascript: link in a Markdown cell to a repository.
Example (PoC):
{ "nbformat": 4, "nbformat_minor": 2, "metadata": {}, "cells": [ { "cell_type": "markdown", "metadata": {},...
The victim opens the file on Gogs (e.g., /<user>/<repo>/src/<branch>/poc.ipynb).
When the victim clicks the poc link displayed in the preview, alert(document.domain) is executed in the same Gogs origin.
Minimum Required Privileges
Attacker: Ability to place a .ipynb file as a regular (non-admin) user
For example: a general user who can create a public repository and add files.
Or: write access (collaborator, etc.) to an existing repository that the victim will view.
Victim: Permission to view the repository (a click is required).
Impact
Unauthorized actions performed with the victim’s account privileges (e.g., repository settings changes, Issue operations,誘導 to token creation).
Theft of information accessible to the victim (repository/Issue/Wiki contents, tokens exposed in page context).
If the victim is an administrator, the impact may escalate to instance-wide configuration changes and user management.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 go | 0.14.3 |
Aliases
References