Persistent XSS rendering/escaping of diff location lines `@@` in Merge Request changes view
This issue was originally reported to security@gitlab.com by a user, reported to HackerOne: https://hackerone.com/reports/380621
Summary
In the Merge Request Changes
view, lines showing the hunk locations starting with @@
containing matching <
and >
characters common in many programming languages are rendering as HTML elements that should not be rendered or getting stripped instead of using user data.
Steps to reproduce
- Create a source file with line containing
<input>
or<script>
with at least 3 lines following it. - Commit a change to a line 3 lines below the element in step 1 to a new branch.
- Create an MR for the single commit branch.
What is the current bug behavior?
The <input>
or <script>
element will be correctly displayed in the New Merge Request
form, but when viewed under Changes
in the submitted merge request, will render as a text input or be stripped from the output, respectively. Other elements may also be allowed through.
Example Project
What is the expected correct behavior?
The contents of the source file should be properly sanitized and displayed.
Relevant logs and/or screenshots!
Correctly rendered as a "New Merge Request":
Incorrectly rendering a text input element:
Output of checks
This bug happens on GitLab.com.
Possible fixes
This is most likely a regression of the MR refactor.