You need to sign in or sign up before continuing.
XSS vulnerability on custom project templates form
Summary
The "custom project templates" form is vulnerable to Cross Site Scripting (XSS) attack, as originally reported by @jbroullon in https://gitlab.com/gitlab-org/security/gitlab/merge_requests/50#note_271210097.
Steps to reproduce
- Log in as an admin
- Add a malicious script to a group name
- Open any group
- Select Settings > General in the left sidebar
- Add this to the "Group name":
<SCRIPT>alert('ATTACKED!')</SCRIPT>
- Click to "Save changes"
- Confirm the malicious script is executed on the "Custom project templates" page
- Go to Settings > Custom project templates
- Click the group search dropdown input to open it
- See an alert appear with the text "ATTACKED!"
What is the current bug behavior?
User input is treated as trusted.
What is the expected correct behavior?
User input is not treated as trusted.
Relevant logs and/or screenshots
Similar to #30173 (closed) and #197301 (closed).
Output of checks
This bug happens on GitLab.com
Possible fixes
- Escape using
sanitizeItem()
- Escape before saving to the database (but there is strange behavior with this)