XSS in release Edits
HackerOne report #834555 by ashish_r_padelkar
on 2020-03-30, assigned to @ankelly:
Summary
Hello,
I found a XSS that happens because of back_url
parameter in release Edit URLs.
https://gitlab.com/<GroupName>/<ProjectName>/-/releases/<ReleaseName>/edit?back_url=javascript:alert(1)
Steps to reproduce
-
Login as a user who has release edit permission in a project and navigate to
https://gitlab.com/<GroupName>/<ProjectName>/-/releases/<ReleaseName>/edit?back_url=javascript:alert(1)
-
Click on
Cancel
button on the page, You should see XSS but it doesnt execute on gitlab.com because of csp
What is the current bug behavior?
XSS because of back_url
in url
What is the expected correct behavior?
Currently back_url
parameter is reflected in button click which should not happen. This is also a candidate for open redirect.
Output of checks
This bug happens on GitLab.com and might be on omnibus installations
Regards,
Ashish
Impact
XSS
Open redirect