Persistent XSS - Selecting users as allowed merge request approvers

https://hackerone.com/reports/346217

Summary: When using the dropdown that selects the users that are allowed to approve a merge request, it is possible to trigger a XSS with a malicious user name string.

Description:

The steps to reproduce are fairly simple but there are some restrictions:

• Only members of a project with Master access are able to become victims of the XSS
• Only groups/members with a subscription level of Starter or higher are able to perform the XSS. This is a premium feature only allowed at Starter or higher. (https://gitlab.com/help/user/project/merge_requests/merge_request_approvals)

Steps To Reproduce:

1. Set your own username as "<img src=x onerror=alert(document.domain)> foo / bar"
2. Make yourself have at least Master access to a project
3. Under Project Settings -> General -> Merge Request Settings,click the "Merge request approvals" checkbox
4. Select the user dropdown input for selecting eligible users to approve merge requests
5. Notice that the onerror attribute from the username renders.

Note that the scope change is because any project member which appears in the drop down can change their username to exercise the vulnerability.

Suggested Remediation

I (the reporting hacker) believe this is the offending line: https://gitlab.com/gitlab-org/gitlab-ee/blob/master/ee/app/assets/javascripts/approvers_select.js#L134

Impact

The security impact is the same as any typical persistent xss.

Gitlab Security Team Verification

This was verified against 10.7.3-ee with a Starter license.