A CSP-bypass XSS in merge-request error messages

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2994150 by yvvdwf on 2025-02-14, assigned to @fvpotvin:

Report | Attachments | How To Reproduce

Report

Hello,

Gitlab recently released a fix of #2930243 by removing the ability of HTML injection via branch name.

I found another HTML injection via an error message of merge request. For example an XSS can occurs when setting merge_error as below:

"merge_error":"<a class=add-review-item-modal-trigger data-commits-empty=true>Loading ...<i class='add-review-item-modal-wrapper' data-context-commits-path=../raw/main/data.json></a><!--"  

Reproduce

The following steps are to reproduce on gitlab.com

As attacker

• create a new project by importing a Gitlab export which is in the attached file ( which is a Gitlab export which contains a merge request and I modified merge_error in merge_requests.ndjson as above)
• change the visibility of the project to public or invite victim as a Developer member of the project

As victim

• there is only one merge request in this project, open it, then click Commits, then click Overview, then click Add previously merged commits button

• go to User / Preferences / Access tokens, then you notice that there is an access token created by attacker

Impact

XSS with CSP-bypass allows attackers to execute arbitrary actions on behalf of victims at the client side.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• clicks.png
• a.tar.gz

How To Reproduce

Please add reproducibility information to this section: