Stored-XSS injected in commit notes

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2500163 by yvvdwf on 2024-05-10, assigned to @ottilia_westerlund:

Report | Attachments | How To Reproduce

Report

Hello,

This code is vulnerable:

...  
     const headerMessage = $systemNote  
        .find('.note-text')  
        .find('p')  
        .first()  
        .text()  
        .replace(':', '');

      $systemNote.find('.note-header .system-note-message').html(headerMessage);  
...  

It use text() function to get content of a p element, then later inject the content by html function. It allows to convert <script> to <script> for example, thus leads to XSS

Steps to reproduce

In gitlab.com, create a new project via Import project, then click Gitlab export button to import an exported GitLab project. Fill the form as you want and use demo.tar.gz in attached file to import to the new project.

Once the project has been successfully imported, click on Initial commit link to view the first commit of the project. You should see a popup alert which is caused by alert("Hello from " + document.location)

Impact

Stored-XSS with CSP-bypass allows attackers to execute arbitrary actions on behalf of victims at the client side.

Best regards,
yvvdwf

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• demo.tar.gz
• project.png
• import-project.png

How To Reproduce

Please add reproducibility information to this section: