Skip to content
GitLab Next
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • GitLab FOSS GitLab FOSS
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 0
    • Issues 0
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 0
    • Merge requests 0
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.org
  • GitLab FOSSGitLab FOSS
  • Issues
  • #15126
Closed
Open
Created Apr 11, 2016 by Jose Torres@balamebContributor

XSS git config with alert

ZD: https://gitlab.zendesk.com/agent/tickets/19595
Reproduced: https://gitlab.com/balameb/sample-two

Description

Fun alert when using git config --global user.email 'my@email.com" onmouseover="alert(1)'. After pushing any changes navigate to the specific commit in Gitlab (or main project page) and hover over your username, the alert gets displayed.

There might be some other locations where the git username/email gets displayed, but I suppose your knowledge of where exactly is bigger than mine in that regard(already checked on project->graphs, but since < and > IS filtered out I couldn't get anything to display there).


/cc @DouweM

Assignee
Assign to
Time tracking