Stored-XSS in merge requests
HackerOne report #977697 by yvvdwf
on 2020-09-09, assigned to @vdesousa:
Report
Hi team,
A stored XSS is existing in the merge requests pages.
Steps to reproduce
- In any existing project or create a new project with checking option "Initialize repository with a README"
- Create a new branch with name
'><iframe/srcdoc='<script/src=/yvvdwf/data/-/jobs/552156057/artifacts/raw/alert.js></script>'></iframe>
, e.g.,git push origin master:"'><iframe/srcdoc='<script/src=/yvvdwf/data/-/jobs/552156057/artifacts/raw/alert.js></script>'></iframe>"
- Create a new merge request from the new branch to master
- When open the merge request being created, you should see an alert
Impact
This stored-XSS allows attacker to execute arbitrary actions on behalf of victim notably via gitlab API. It occurs automatically without any need of victim's interaction despite gitlab CSP.
Examples
(the alert occurs although existing of CSP of gitlab)
https://gitlab.com/yvvdwf/store-xss-merge-request/-/merge_requests/1
What is the current bug behavior?
In _sidebar.html.haml, the source_branch
is not sanitized when using as title
attribute
%span
= _('Source branch: %{source_branch_open}%{source_branch}%{source_branch_close}').html_safe % { source_branch_open: "<cite title='#{source_branch}'>".html_safe, source_branch_close: "</cite>".html_safe, source_branch: source_branch }
What is the expected correct behavior?
sourche_banch
should be sanitized
Output of checks
This bug happens on GitLab.com
Impact
This stored-XSS allows attacker to execute arbitrary actions on behalf of victim notably via gitlab API. It occurs automatically without any need of victim's interaction despite gitlab CSP.
How To Reproduce
Please add reproducibility information to this section: