HTML Injection for label description on issues/MR page
HackerOne report #536681 by xanbanx
on 2019-04-12, assigned to estrike
:
Hi GitLab Security Team,
I found a HTML injection for the labels tooltip. Right now, I am able to inject HTML such as for example an image tag. However, I was not yet able to escalate it to XSS. It seems the tooltip for labels is a bit different for issues displayed on the issues page, where all issues are displayed in a row. Here, the tooltip allows to inject HTML into the DOM such as for example image tags.
I was not sure which weakness to assign because it is not an XSS yet.
Steps to reproduce
Tested on gitlab.com
- On a project, create a new label with the description
<img src=https://upload.wikimedia.org/wikipedia/commons/b/bd/A_Smiley.jpg>
- Create a new issue, and assign it the previously created label
- Go on the issue list and hover over the label
Here you can observe the image being loaded <- HTML injection
Steps to mitigate
Properly sanitize the input.
Impact
The HTML injection allows injecting malicious content such as images, links, input forms etc. This vulnerability may be escalated to a stored XSS vulnerability.
Security Issue: https://dev.gitlab.org/gitlab/gitlabhq/issues/2880