Skip to content

HTML Injection for label description on issues/MR page

HackerOne report #536681 by xanbanx on 2019-04-12, assigned to estrike:

Hi GitLab Security Team,

I found a HTML injection for the labels tooltip. Right now, I am able to inject HTML such as for example an image tag. However, I was not yet able to escalate it to XSS. It seems the tooltip for labels is a bit different for issues displayed on the issues page, where all issues are displayed in a row. Here, the tooltip allows to inject HTML into the DOM such as for example image tags.

I was not sure which weakness to assign because it is not an XSS yet.

Steps to reproduce

Tested on gitlab.com

  1. On a project, create a new label with the description <img src=https://upload.wikimedia.org/wikipedia/commons/b/bd/A_Smiley.jpg>
  2. Create a new issue, and assign it the previously created label
  3. Go on the issue list and hover over the label

Here you can observe the image being loaded <- HTML injection

Steps to mitigate

Properly sanitize the input.

Impact

The HTML injection allows injecting malicious content such as images, links, input forms etc. This vulnerability may be escalated to a stored XSS vulnerability.

Security Issue: https://dev.gitlab.org/gitlab/gitlabhq/issues/2880

Edited by Patrick Derichs