Gitlab is subject to script injection through crafted git commit message

Created by: ebouchut

When displaying a git commit message that contains HTML tags, GitLab does not HTML escape them. The commit message being displayed as HTML, any page that lists the commits is thus subject to javascript injection.

git commit -m '<script type="text/javascript">alert("Here we go...");</script>'

Created by: davispuh

just checked with newest version and still HTML isn't escaped in commit messages... I wonder why this haven't been fixed...

affected locations:

/{project}/{branch}/tree
/{project}/commits
/{project}/repository

EDIT

seems it's not possible to do XSS, because somewhere <script> tags are stripped, but HTML isn't escaped so that's not proper solution, for example if I make such commit: added big <h1>title</h1>

By Administrator on 2012-09-19T21:04:45 (imported from GitLab)

Created by: rspeicher

When you say "newest version", do you mean current master? Because I'm not able to reproduce this on current master (soon to be 2.9 stable).

By Administrator on 2012-09-19T21:25:12 (imported from GitLab)

Created by: davispuh

yes, really newest...

$git clone -b master git://github.com/gitlabhq/gitlabhq.git
$git pull
Already up-to-date.
$git show --summary
commit 01974185a1640ed869417131d062b5a2eef620bc
Author: Robert Speicher <rspeicher@gmail.com>
Date:   Wed Sep 19 12:14:42 2012 -0400

    Simplify is_within matcher

    [ci skip]

$bundle exec rails s -e production

By Administrator on 2012-09-19T22:19:14 (imported from GitLab)

Created by: davispuh

I created repository with few commits which does break gitlab nicely :D git clone git://github.com/davispuh/UberTest.git and then push to gitlab...

By Administrator on 2012-09-19T22:46:48 (imported from GitLab)

Created by: rspeicher

All right, I'll look into it. Thanks.

On Wednesday, September 19, 2012, Dāvis wrote:

I created repository with few commits which does break gitlab nicely :D git clone git://github.com/davispuh/UberTest.git and then push to gitlab...

— Reply to this email directly or view it on GitHubhttps://github.com/gitlabhq/gitlabhq/issues/1444#issuecomment-8711319.

By Administrator on 2012-09-19T22:48:01 (imported from GitLab)

Created by: davispuh

btw there's something really messed up, same goes for issue subjects and milestone titles, it's being filtered by some crazy fucked up code :D

doing proper HTML escaping would be much easier, of course then couldn't do <b>Important</b> but who need that...

but +1 for escaping labels properly :)

By Administrator on 2012-09-19T23:22:12 (imported from GitLab)

Created by: rspeicher

Please test that branch for me if you get a chance.

By Administrator on 2012-09-20T00:27:48 (imported from GitLab)

Created by: dzaporozhets

#1512 not solve network graph issue. I'll push a commit in an hour

By Administrator on 2012-09-20T05:59:32 (imported from GitLab)

Created by: dzaporozhets

61049424

By Administrator on 2012-09-20T06:07:27 (imported from GitLab)

Created by: dzaporozhets

Please close an issue if a problem is solved

By Administrator on 2012-09-20T06:07:58 (imported from GitLab)

Created by: davispuh

seems this is finally fixed :)

By Administrator on 2012-09-20T06:57:39 (imported from GitLab)

Created by: ebouchut

Thank very much you guys for having fixed this bug and double thumbs up for building such a great tool.

By Administrator on 2012-10-10T07:40:36 (imported from GitLab)

Created by: dzaporozhets

@ebouchut glad to help :)

By Administrator on 2012-10-10T08:24:08 (imported from GitLab)