Stored XSS when promoting Milestone inside Notification
Link: https://hackerone.com/reports/369412
By: @fransrosen
Details: Hi,
When promoting a Milestone, the name of the milestone is not sanitized properly and the notification will trigger any HTML inside the milestone-name.
The issue seems to be that when saving a Milestone with the following name:
AAA BBB CCCAAA BBB CCCAAA BBB CCCAAA BBB CCCAAA BBB CCCAAA BBB CCCAAA BBB CCC<img src=x onerror=alert(document.domain)>
The name gets saved with the proper HTML of the entities in the name.
However, if you would try to save the Milestone with proper HTML-tags, the HTML-tags would be stripped out. This seems to be an old mitigation of getting HTML-code inside the Milestone name, but due to the de-htmlentitization being done on the name, it doesn't matter since html-entities will now show up as real HTML-tags.
So, when promoting the Milestone, the notification is not properly sanitizing the name and the HTML will trigger the javascript in my example.
PoC
Here's a video showing the scenario of saving a milestone and promoting it:
Mitigation
You could make sure the whole milestone stripping of HTML-tags is properly done (so HTML-tags are kept) but you would also need to make sure the notification when promoting is actually sanitizing HTML-tags properly.
Impact
The stored XSS is triggering for anyone, also triggering on gitlab.com, and it can trigger on public repos. You could easily build a PoC that would modify the email address of the current user or stealing their CSRF-token as soon as the script triggers, or try stealing information about the user's other private repositories.
Regards, Frans Rosén