Stored XSS on the job page (#215538) · Issues · GitLab.org / GitLab

Stored XSS on the job page

**[HackerOne report #856554](https://hackerone.com/reports/856554)** by `mike12` on 2020-04-22: Hello Gitlab! ### Steps to reproduce: 1. Run Gitlab `docker run --detach --hostname gitlab.example.com --publish 443:443 --publish 80:80 --publish 22:22 --name gitlab gitlab/gitlab-ce:latest` 2. Create a new project with README.md 3. Go to Operations->Kubernetes 1. Click on the "Add Kubernetes cluster" button 2. Select the "Add existing cluster" tab 3. Kubernetes cluster name: cluster-example 4. API URL: https://google.com 5. Service Token: token-example 6. Uncheck the "GitLab-managed cluster" checkbox 7. Click on the "Add Kubernetes cluster" button 4. Add ".gitlab-ci.yml" file to the repository (to the master branch) ``` deploy: stage: deploy script: - echo "Example" environment: name: production url: https://google.com kubernetes: namespace: <img src=x onerror=alert(1)> only: - master ``` 5. Go to CI/CD->Jobs and open the last job ![1.png](https://h1.sec.gitlab.net/a/258a1376-fc37-436c-b7df-331af1a570e0/1.png) ![2.png](https://h1.sec.gitlab.net/a/d459e02a-50c0-4b48-a955-5e00b4316b01/2.png) #### Vulnerable code All vulnerable code is in one file [environments_block.vue](https://gitlab.com/gitlab-org/gitlab/-/blob/c2da59f0376ee8d99ce16100d5c481234bbf9f8a/app/assets/javascripts/jobs/components/environments_block.vue) 1. [Line 125](https://gitlab.com/gitlab-org/gitlab/-/blob/c2da59f0376ee8d99ce16100d5c481234bbf9f8a/app/assets/javascripts/jobs/components/environments_block.vue#L125) 2. [Line 156](https://gitlab.com/gitlab-org/gitlab/-/blob/c2da59f0376ee8d99ce16100d5c481234bbf9f8a/app/assets/javascripts/jobs/components/environments_block.vue#L156) 3. [Line 251](https://gitlab.com/gitlab-org/gitlab/-/blob/c2da59f0376ee8d99ce16100d5c481234bbf9f8a/app/assets/javascripts/jobs/components/environments_block.vue#L251) 4. And other places where `%{kubernetesNamespace}` is used ## Impact An attacker can: 1. Perform any action within the application that a user can perform 2. Steal sensitive user data 3. Steal user's credentials ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [1.png](https://h1.sec.gitlab.net/a/258a1376-fc37-436c-b7df-331af1a570e0/1.png) * [2.png](https://h1.sec.gitlab.net/a/d459e02a-50c0-4b48-a955-5e00b4316b01/2.png)

issue