Skip to content

XSS in release Edits

HackerOne report #834555 by ashish_r_padelkar on 2020-03-30, assigned to @ankelly:

Summary

Hello,

I found a XSS that happens because of back_url parameter in release Edit URLs.

https://gitlab.com/<GroupName>/<ProjectName>/-/releases/<ReleaseName>/edit?back_url=javascript:alert(1)

Steps to reproduce

  1. Login as a user who has release edit permission in a project and navigate to
    https://gitlab.com/<GroupName>/<ProjectName>/-/releases/<ReleaseName>/edit?back_url=javascript:alert(1)

  2. Click on Cancel button on the page, You should see XSS but it doesnt execute on gitlab.com because of csp

What is the current bug behavior?

XSS because of back_url in url

What is the expected correct behavior?

Currently back_url parameter is reflected in button click which should not happen. This is also a candidate for open redirect.

Output of checks

This bug happens on GitLab.com and might be on omnibus installations

Regards,
Ashish

Impact

XSS
Open redirect