New /add_contacts /remove_contacts quick commands susseptible to XSS from Customer Contact firstname/lastname fields

HackerOne report #1578400 by cryptopone on 2022-05-22, assigned to H1 Triage:

Report | Attachments | How To Reproduce

Report

Summary

In Gitlab 15.0.0 a new Customer Relations feature was added that allows us to use quick actions to find the contact we wish to select.

However, I noticed that if I set the contact's first name or last name to we can get the XSS to trigger when we are attempting to use the quick commands to add/remove a contact.

Steps to reproduce
  1. Create a new group.
  2. Once the group is created, navigate to the Settings -> General options for the group.
  3. Expand the section "Permissions and group features" and under "Customer Relations" make sure "Enable customer relations" is selected.
  4. Return back to the group page. On the left side of the screen a new menu option will appear titled "Customer relations". Select it.
  5. Create a new contact with "First name" set to "<script>alert(document.domain)</script>" and "Last name" set to "<script>alert(document.domain)</script>". Provide an email address and save your changes.
  6. The user you created in the previous step should now appear as a contact on the Customer Relations page.
  7. Go to the create new project URL (https://gitlab.com/projects/new#blank_project) and under Project URL, select the Group you created earlier. Give the project a name Ex. "CustomerProject".
  8. Once the project has been created on the left side of the project page select "Issues" and then click "New Issue".
  9. In the description pane type "/add_contacts" so the popup appears, then press "enter" to trigger the XSS.
Impact

Users attempting to utilize the quick commands /add_contacts or /remove_contacts could inadvertently trigger XSS while attempting to add/remove a customer to an issue.

Examples

This bug was discovered originally on my self-hosted 15.0.0 but is reproducible on gitlab.com.

Create a contact with the payload in firstname and lastname fields
Customer_Contact.png

Create a new issue and type "/add_contacts" in the markdown text area to trigger the popup to appear
add_contacts_popup.png

Press enter, which will trigger the XSS when attempting to load the list of contacts
add_contact.png

What is the current bug behavior?

The HTML special characters are not escaped, allowing an iframe to be injected into the page with XSS.

What is the expected correct behavior?

The HTML special characters would be escaped and shown in the diagram.

Output of checks

This bug is reproducible on Gitlab.com

Results of GitLab environment info
System:         Ubuntu 20.04  
Proxy:          no  
Current User:   git  
Using RVM:      no  
Ruby Version:   2.7.5p203  
Gem Version:    3.1.4  
Bundler Version:2.2.33  
Rake Version:   13.0.6  
Redis Version:  6.2.6  
Sidekiq Version:6.4.0  
Go Version:     unknown

GitLab information  
Version:        15.0.0-ee  
Revision:       3b397c17532  
Directory:      /opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:     PostgreSQL  
DB Version:     12.10  
URL:            http://gitlab-pentest4.example.com  
HTTP Clone URL: http://gitlab-pentest4.example.com/some-group/some-project.git  
SSH Clone URL:  git@gitlab-pentest4.example.com:some-group/some-project.git  
Elasticsearch:  no  
Geo:            no  
Using LDAP:     no  
Using Omniauth: yes  
Omniauth Providers:

GitLab Shell  
Version:        14.3.0  
Repository storage paths:  
- default:      /var/opt/gitlab/git-data/repositories  
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell```

####  Impact

JavaScript execution as the authenticated user when the user attempts to add or remove a contact for the new customer relations feature.

## Attachments

**Warning:** Attachments received through HackerOne, please exercise caution!

* [Customer_Contact.png](https://h1.sec.gitlab.net/a/6c4b28f1-7dfc-40d6-a71f-b61cebd58a84/Customer_Contact.png)
* [add_contacts_popup.png](https://h1.sec.gitlab.net/a/dcc68f48-29e5-4522-a5a5-df35e41189cc/add_contacts_popup.png)
* [add_contact.png](https://h1.sec.gitlab.net/a/d997a5a5-b30f-4325-abfd-831ce069734e/add_contact.png)

## How To Reproduce

Please add [reproducibility information] to this section:

1.
1.
1.

[reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues