Skip to content
GitLab
Next
    • Why GitLab
    • Pricing
    • Contact Sales
    • Explore
  • Why GitLab
  • Pricing
  • Contact Sales
  • Explore
  • Sign in
  • Get free trial
  • GitLab.orgGitLab.org
  • GitLab FOSSGitLab FOSS
  • Issues
  • #48617

Stored XSS when promoting Milestone inside Notification

Link:          https://hackerone.com/reports/369412
By:            @fransrosen

Details: Hi,

When promoting a Milestone, the name of the milestone is not sanitized properly and the notification will trigger any HTML inside the milestone-name.

milestone3

The issue seems to be that when saving a Milestone with the following name:

AAA BBB CCCAAA BBB CCCAAA BBB CCCAAA BBB CCCAAA BBB CCCAAA BBB CCCAAA BBB CCC<img src=x onerror=alert(document.domain)>

The name gets saved with the proper HTML of the entities in the name.

milestone1

However, if you would try to save the Milestone with proper HTML-tags, the HTML-tags would be stripped out. This seems to be an old mitigation of getting HTML-code inside the Milestone name, but due to the de-htmlentitization being done on the name, it doesn't matter since html-entities will now show up as real HTML-tags.

So, when promoting the Milestone, the notification is not properly sanitizing the name and the HTML will trigger the javascript in my example.

milestone2

PoC

Here's a video showing the scenario of saving a milestone and promoting it:

GitlabMilestonePromote

Mitigation

You could make sure the whole milestone stripping of HTML-tags is properly done (so HTML-tags are kept) but you would also need to make sure the notification when promoting is actually sanitizing HTML-tags properly.

Impact

The stored XSS is triggering for anyone, also triggering on gitlab.com, and it can trigger on public repos. You could easily build a PoC that would modify the email address of the current user or stealing their CSRF-token as soon as the script triggers, or try stealing information about the user's other private repositories.

Regards, Frans Rosén

Assignee
Assign to
Time tracking