Stored-XSS with CSP-bypass in Merge requests (#409346) · Issues · GitLab.org / GitLab

Stored-XSS with CSP-bypass in Merge requests

:warning: **Please read [the process](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/security/developer.md) on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.** **[HackerOne report #1965750](https://hackerone.com/reports/1965750)** by `yvvdwf` on 2023-04-28, assigned to @rshambhuni: [Report](#report) | [How To Reproduce](#how-to-reproduce) ## Report Hi, Gitlab recently [added icon to indicate fork](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/116284) in the Merge requests page. This modification indicates `source_branch` as `html_safe`, which can cause XSS: ```ruby ### https://gitlab.com/gitlab-org/gitlab/-/blob/f728534d7f6a357cf049cfd7a640a32504a1b9d6/app/helpers/merge_requests_helper.rb#L251 branch_title = if merge_request.for_fork? _('%{source_project_path}:%{source_branch}').html_safe % { source_project_path: merge_request.source_project_path.html_safe, source_branch: merge_request.source_branch.html_safe } else merge_request.source_branch end ``` ### Reproduce 1. Within the current user, e.g., `user_a`, create a public project `user_a/a` 2. Switch to another user, e.g., `user_b`: 2.1. Fork `https://gitlab.com/user_a/a` to a public project `user_b/b` 2.2. Clone `user_b/b` to your local machine using `ssh`: `git clone git@gitlab.com:user_b/b` 2.3. Push a new branch to `user_b/b`: ```bash git clone git@gitlab.com:user_b/b cd b git push origin HEAD:"XSS<i/class=hidden><form/class=gl-show-field-errors><input/title='<script>alert(document.domain)</script>'>" ``` 2.4. Back to the website gitlab.com, create a new merge request from the created branch above to `user_a/a` 2.5. After creating the merge request, you should see a popup that is created by `<script>alert(document.domain)</script>` 3. The XSS should be existing at: `https://gitlab.com/user_a/a/-/merge_requests/1` 4. Example: https://gitlab.com/yvvdwf/test-xss-in-merge-request-via-fork/-/merge_requests/1 (in private mode) #### Impact Stored-XSS with CSP-bypass allows attackers to execute arbitrary actions on behalf of victims at the client side. ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues

issue