XSS vulnerability on custom project templates form (#197302) · Issues · GitLab.org / GitLab · GitLab (original) (raw)

Skip to content

GitLab Next

• • Why GitLab
  • Pricing
  • Contact Sales
  • Explore
• Why GitLab
• Pricing
• Contact Sales
• Explore
• Sign in
• Get free trial

XSS vulnerability on custom project templates form

Summary

The "custom project templates" form is vulnerable to Cross Site Scripting (XSS) attack, as originally reported by @jbroullon in https://gitlab.com/gitlab-org/security/gitlab/merge_requests/50#note_271210097.

Steps to reproduce

• Log in as an admin
• Add a malicious script to a group name
  • Open any group
  • Select Settings > General in the left sidebar
  • Add this to the "Group name": <SCRIPT>alert('ATTACKED!')</SCRIPT>
  • Click to "Save changes"
• Confirm the malicious script is executed on the "Custom project templates" page
  • Go to Settings > Custom project templates
  • Click the group search dropdown input to open it
  • See an alert appear with the text "ATTACKED!"

What is the current bug behavior?

User input is treated as trusted.

What is the expected correct behavior?

User input is not treated as trusted.

Relevant logs and/or screenshots

Similar to [#30173 (closed)](/gitlab-org/gitlab/-/issues/30173 "Stored XSS in "Create Groups"") and #197301 (closed).

Output of checks

This bug happens on GitLab.com

Possible fixes

• Escape using sanitizeItem()
• Escape before saving to the database (but there is strange behavior with this)