Skip to content
GitLab Next
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • GitLab FOSS GitLab FOSS
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 0
    • Issues 0
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 0
    • Merge requests 0
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.org
  • GitLab FOSSGitLab FOSS
  • Issues
  • #49085
Closed
Open
Created Jul 10, 2018 by Antony Saba@asaba🚨

Persistent XSS rendering/escaping of diff location lines `@@` in Merge Request changes view

This issue was originally reported to security@gitlab.com by a user, reported to HackerOne: https://hackerone.com/reports/380621

Summary

In the Merge Request Changes view, lines showing the hunk locations starting with @@ containing matching < and > characters common in many programming languages are rendering as HTML elements that should not be rendered or getting stripped instead of using user data.

Steps to reproduce

  1. Create a source file with line containing <input> or <script> with at least 3 lines following it.
  2. Commit a change to a line 3 lines below the element in step 1 to a new branch.
  3. Create an MR for the single commit branch.

What is the current bug behavior?

The <input> or <script> element will be correctly displayed in the New Merge Request form, but when viewed under Changes in the submitted merge request, will render as a text input or be stripped from the output, respectively. Other elements may also be allowed through.

Example Project

  • Stripped
  • Correct in commit view
  • Text input
  • Correct in commit view

What is the expected correct behavior?

The contents of the source file should be properly sanitized and displayed.

Relevant logs and/or screenshots!

Correctly rendered as a "New Merge Request": new_merge_request

Incorrectly rendering a text input element: merge_request_changes

Output of checks

This bug happens on GitLab.com.

Possible fixes

This is most likely a regression of the MR refactor.

Edited Dec 18, 2018 by Antony Saba
Assignee
Assign to
Time tracking