Cross-site Scripting (XSS) vulnerability in project import via GitLab export (file names)
A user reported via email to the security list that there is a Cross-site Scripting (XSS) vulnerability in the project import feature for GitLab export files.
Using a file name containing HTML results in persistent XSS:
$ touch \'\<img\ onerror\=alert\(1\)\ src\=x\>.tar.gz\' $ ls -l '<img onerror=alert(1) src=x>.tar.gz'
Importing this file results in script execution. The link sticks around as
/namespace/project/import/new and can therefore be sent to other users.
I've verified this vulnerability on a test instance.
I've deleted the list of hamlit filters so that I can update it for the latest release. I'm only including files that are known or suspected to be vulnerable.