Gitlab XSS in markdown preview page

HackerOne report #645043 by brainpanic on 2019-07-16, assigned to akelly:

Summary

A DOM-Based XSS in markdown preview page due to mermaid feature.

Steps to reproduce

sign in to GitLab
find a repo and create a issue
submit with the following code

graph LR;  
    A-->CLICK_HERE_AND_GET_BONUS;  
    click A alert "aaa"  
    click CLICK_HERE_AND_GET_BONUS "javascript:alert%28%64%6f%63%75%6d%65%6e%74%2e%64%6f%6d%61%69%6e%29" "Here is the XSS"

goto the issue page
click the node named "CLICK_HERE_AND_GET_BONUS", you will see an alert box with document.domain

Impact

The XSS can be used to hijack the victim's Gitlab account.

Examples

Goto the link below, and click the node named "CLICK_HERE_AND_GET_BONUS"
c00lyu/sss#1

You will see an alert box with document.domain

What is the current bug behavior?

Execute javascript code

What is the expected correct behavior?

Do not allow javascript code to execute

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com

Impact

The XSS can be used to hijack the victim's Gitlab account.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

gitlab_xss.png

Edited Sep 30, 2019 by GitLab SecurityBot