Slack integration doesn't properly escape titles

Summary

It's possible to manipulate the message produced by the GitLab slack integration in unintended ways

Steps to reproduce

Create an issue/merge request with something like the following in the title:

*><http://example.com|*Just a regular MR yo

What is the current bug behavior?

It produces a slack message which has interpreted the title:

This is bad since it has interpreted the MR title. In the best case this just leads to buggy titles, and in the worst case this could be a security issue (I have not explored this too much).

What is the expected correct behavior?

It should show the entire MR title, escaped for slack.

Possible fixes

Problem is probably somewhere in https://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/models/project_services/chat_message/base_message.rb

This is seen in GitLab EE 11.10.0-ee (dfa95630be4)

Edited Apr 30, 2019 by Johan Brandhorst