Cross-site Scripting (XSS) vulnerability in project import via GitLab export (file names)

A user reported via email to the security list that there is a Cross-site Scripting (XSS) vulnerability in the project import feature for GitLab export files.

Using a file name containing HTML results in persistent XSS:

$ touch \'\<img\ onerror\=alert\(1\)\ src\=x\>.tar.gz\'
$ ls -l
'<img onerror=alert(1) src=x>.tar.gz'

Importing this file results in script execution. The link sticks around as /namespace/project/import/new and can therefore be sent to other users.

I've verified this vulnerability on a test instance.

I've deleted the list of hamlit filters so that I can update it for the latest release. I'm only including files that are known or suspected to be vulnerable.