XSS in static site editor!

HackerOne report #864356 by bull on 2020-05-01, assigned to @rchan-gitlab:

Hi,

I have found an issue which can be used by an attacker to insert malicious javascript for user and take actions on behalf of the user, steal data etc.

POC:

go to your gitlab instance,
create a public project with .md file in it
invite victim as developer to your project
serve malicious link :https://gitlab.example.com/USERNAME/REPOSITORY/-/sse/master/FILENAME.md?return_url=javascript:alert(document.domain)

video:

[REDACTED]

Isn't triggering on gitlab.com due to CSP, injection is there,

let me know if you need any more information or if i missed something
thanks
bull

Impact

XSS in gitlab instance!

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

[REDACTED]

Edited Jul 06, 2022 by Costel Maxim