PT-2026-51634 · Go · Gogs.Io/Gogs
Published
2026-06-23
·
Updated
2026-06-23
·
CVE-2026-52816
CVSS v4.0
5.4
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P |
Summary
The Jupyter Notebook (ipynb) sanitizer endpoint at
POST /-/api/sanitize ipynb allows arbitrary data: URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses bluemonday.UGCPolicy() with p.AllowURLSchemes("data") which permits all data URI schemes including data:text/html, enabling attackers to inject malicious HTML/JavaScript. Additionally, the endpoint has no authentication middleware, allowing any registered user to exploit this vulnerability.Severity
High
Affected Versions
All versions using the vulnerable endpoint
Vulnerability Details
- CVE ID: (To be assigned)
- Entry Point:
POST /-/api/sanitize ipynb - Attack Vector: Network
- Authentication Required: No (only needs a registered user account)
Impact
An attacker with a registered user account can:
- Send malicious HTML containing
data:text/htmlURIs to the sanitization endpoint - Receive sanitized but attacker-controlled HTML in the response
- Execute arbitrary JavaScript in the attacker's browser context through XSS
- Potentially exploit other users if the sanitized output is rendered in their context
The vulnerability has higher severity because:
- No authentication required (only needs a registered user account)
- Unlike the safer pattern in
internal/markup/sanitizer.go:39which usesisSafeDataURIto only allow safe image MIME types, this endpoint allows ALL data URIs including HTML - The returned HTML can be used to craft XSS attacks
Proof of Concept
Attacker sends a POST request to the sanitization endpoint:
http
POST /-/api/sanitize ipynb HTTP/1.1
Host: target.gogs.instance
Content-Type: text/plain
<a href="data:text/html,<script>alert(document.cookie)</script>">click</a>The server returns the sanitized HTML with the data URI preserved:
html
<a href="data:text/html,<script>alert(document.cookie)</script>">click</a>When this HTML is rendered in a browser, the JavaScript within the data URI will execute, leading to XSS.
Affected Component
File:
internal/app/api.go:10-16go
func ipynbSanitizer() *bluemonday.Policy {
p := bluemonday.UGCPolicy()
p.AllowAttrs("class", "data-prompt-number").OnElements("div")
p.AllowAttrs("class").OnElements("img")
p.AllowURLSchemes("data") // <-- VULNERABLE: allows all data URIs
return p
}File:
cmd/gogs/web.go:681-683 - No authentication middlewarego
m.Group("/-", func() {
m.Get("/metrics", app.MetricsFilter(), promhttp.Handler())
m.Group("/api", func() {
m.Post("/sanitize ipynb", app.SanitizeIpynb()) // <-- No auth middleware
})
})Root Cause
-
Unrestricted data URI scheme: The code at
internal/app/api.go:14usesp.AllowURLSchemes("data")without any restriction, unlike the safer implementation ininternal/markup/sanitizer.go:39which usesAllowURLSchemeWithCustomPolicy("data", isSafeDataURI)to only allow safe image MIME types. -
No authentication: The endpoint at
cmd/gogs/web.go:682does not have any authentication middleware applied, making it accessible to any registered user. -
Insufficient validation: The sanitization only removes dangerous tags/attributes but preserves data URIs, allowing
data:text/htmlpayloads to pass through.
Suggested Fix
Option 1: Use the same safe pattern as
internal/markup/sanitizer.goReplace
p.AllowURLSchemes("data") with:go
p.AllowURLSchemeWithCustomPolicy("data", isSafeDataURI)Where
isSafeDataURI is a function that only allows safe image MIME types (image/png, image/jpeg, image/gif, etc.).Option 2: Add authentication middleware
Apply appropriate authentication to the endpoint:
go
m.Post("/sanitize ipynb", middleware.signIn, app.SanitizeIpynb())Option 3: Disable data URI scheme entirely
If data URIs are not required for ipynb sanitization:
go
// Remove this line entirely:
// p.AllowURLSchemes("data")Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Gogs.Io/Gogs