Stored XSS in merge request because of target branch

HackerOne report #1030189 by ashish_r_padelkar on 2020-11-09, assigned to @kaunghtet:

Report | Attachments | How To Reproduce

Report

Summary

Hello,

I Found a stored XSS in merge request which triggers for everyone in public project as merge requests are available for everyone. Currently Gitlab.com is prevented because of CSP.

Steps to reproduce

1. Create a file at -/new/master/ and in Target Branch section put branch name as XSS payload "><img/src='x'onerror=prompt(1)>.
2. Create a merge request now at /-/merge_requests/new. Select Target Branch as above branch with XSS payload and create a merge request.
3. As soon as you create merge request, you should see below button

4. Click on Merge Immediately
5. It will create a pipeline and appears as a note which triggers this XSS

Output of checks

This bug happens on GitLab.com

Regards,
Ashish

Impact

Stored XSS in merge request

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_2020-11-10_at_00.52.04.png
• Screenshot_2020-11-10_at_00.53.36.png

How To Reproduce

Please add reproducibility information to this section: