Gitlab is subject to script injection through crafted git commit message
Created by: ebouchut
When displaying a git commit message that contains HTML tags, GitLab does not HTML escape them. The commit message being displayed as HTML, any page that lists the commits is thus subject to javascript injection.
git commit -m '<script type="text/javascript">alert("Here we go...");</script>'Activity
Created by: davispuh
just checked with newest version and still HTML isn't escaped in commit messages... I wonder why this haven't been fixed...
affected locations:
/{project}/{branch}/tree /{project}/commits /{project}/repositoryEDIT
seems it's not possible to do XSS, because somewhere
<script>tags are stripped, but HTML isn't escaped so that's not proper solution, for example if I make such commit:added big <h1>title</h1>By Administrator on 2012-09-19T21:04:45 (imported from GitLab project)
By Administrator on 2012-09-19T21:04:45 (imported from GitLab)
Created by: rspeicher
When you say "newest version", do you mean current master? Because I'm not able to reproduce this on current master (soon to be 2.9 stable).
By Administrator on 2012-09-19T21:25:12 (imported from GitLab project)
By Administrator on 2012-09-19T21:25:12 (imported from GitLab)
Created by: davispuh
yes, really newest...
$git clone -b master git://github.com/gitlabhq/gitlabhq.git $git pull Already up-to-date. $git show --summary commit 01974185a1640ed869417131d062b5a2eef620bc Author: Robert Speicher <rspeicher@gmail.com> Date: Wed Sep 19 12:14:42 2012 -0400 Simplify is_within matcher [ci skip] $bundle exec rails s -e productionBy Administrator on 2012-09-19T22:19:14 (imported from GitLab project)
By Administrator on 2012-09-19T22:19:14 (imported from GitLab)
Created by: davispuh
I created repository with few commits which does break gitlab nicely :D
git clone git://github.com/davispuh/UberTest.gitand then push to gitlab...By Administrator on 2012-09-19T22:46:48 (imported from GitLab project)
By Administrator on 2012-09-19T22:46:48 (imported from GitLab)
Created by: rspeicher
All right, I'll look into it. Thanks.
On Wednesday, September 19, 2012, Dāvis wrote:
I created repository with few commits which does break gitlab nicely :D git clone git://github.com/davispuh/UberTest.git and then push to gitlab...
— Reply to this email directly or view it on GitHubhttps://github.com/gitlabhq/gitlabhq/issues/1444#issuecomment-8711319.
By Administrator on 2012-09-19T22:48:01 (imported from GitLab project)
By Administrator on 2012-09-19T22:48:01 (imported from GitLab)
Created by: davispuh
btw there's something really messed up, same goes for issue subjects and milestone titles, it's being filtered by some crazy fucked up code :D
doing proper HTML escaping would be much easier, of course then couldn't do
<b>Important</b>but who need that...but +1 for escaping labels properly :)
By Administrator on 2012-09-19T23:22:12 (imported from GitLab project)
By Administrator on 2012-09-19T23:22:12 (imported from GitLab)
Created by: dzaporozhets
By Administrator on 2012-09-20T06:07:27 (imported from GitLab project)
By Administrator on 2012-09-20T06:07:27 (imported from GitLab)
Created by: dzaporozhets
@ebouchut glad to help :)
By Administrator on 2012-10-10T08:24:08 (imported from GitLab project)
By Administrator on 2012-10-10T08:24:08 (imported from GitLab)
