XSS in url_for(params)
See https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/18241 / http://guides.rubyonrails.org/security.html#redirection-and-files / https://github.com/rails/rails/pull/20797 / others
Example on GitLab.com: https://gitlab.com/gitlab-org/gitlab-ce/issues?protocol=javascript&host=foo&author_username=%0aalert(%27hi%27)//
Click the feed icon at the top, and you'll get an alert box
We need to:
- Audit all current uses of
url_for
where we modify params. - Replace those with a
safe_params
variant. - Either add a RuboCop rule for
url_for
without the argument beingsafe_params
, or create a follow-up issue.
Because of https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/18241, the patch will be slightly different for 10.7 and below to 10.8 and above.
Edited by Sean McGivern