@ChALkeR discovered that our HTML sanitization library was allowing arbitrary user-controlled class attributes on <code> elements. Our JavaScript relies heaviliy on this attribute for identifying elements within the page. Once an element is found, our JavaScript might do a wide variety of things, such as making XHR requests to a URL specified within the tag or performing some same-site action on a resource specified by another attribute in the element.

Given the variety of possible impacts of user-controlled class attributes, we worked under the assumption that this bug’s impact was the same as CSRF. We identified that the bug was a regression introduced several months ago. During our investigation, we found a similar regression affecting another element. We addressed the vulnerabilities by removing the class attribute from the HTML sanitization whitelist for the affected elements. We have added integration and linting tests to ensure that similar bugs are not introduced and that changes to these whitelists receive further scrutinty from our security team in the future.

Fixes for this bug were included in GitHub Enterprise versions 2.6.19, 2.7.14, 2.8.10, and 2.9.2.