Project Milestone with specific name blocks owners/users from accessing group milestone page
HackerOne report #638731 by ashish_r_padelkar
on 2019-07-10, assigned to estrike
:
Summary
Hello,
The project milestone with name <img src=x onerror=prompt(1)>
can throw 500
error on group milestone pages and can prevent group owners or users from accessing that page until they find the root cause of the issue.
The reason this happens is because project milestones are also rendered on group milestone page here at https://gitlab.com/groups/<GroupName>/-/milestones
Steps to reproduce
- Create a project milestone within a group named
<img src=x onerror=prompt(1)>
- This will create a empty milestone.
- Now as any user (or group owner) navigate to
https://gitlab.com/groups/<GroupName>/-/milestones
4.They will see 500 error
What is the current bug behavior?
Project Milestone with specific name block owners from accessing group milestone page
What is the expected correct behavior?
Either milestone should not allowed special characters like <
or group milestone page should be properly rendered.
Output of checks
This bug happens on GitLab.com and might be on omnibus installations too.
Regards,
Ashish
Impact
There are multiple impacts of this
-
As mentioned earlier, this creates empty milestone which then prevent admin from deleting the milestone, or promoting at group level unless they specifically go to EDIT link directly and fix it.
-
This blocks owners, maintainers from accessing the group milestone page till they find the root cause of the issue. Imagine some developer role creates such milestone (who has only project level access and not group level) and then prevent group owner, admin from accessing group milestones. This happens because project milestones too renders in group milestone page and group owners can see all the projects and their milestone which by default render in group milestone page irrespective of project visibility.
Regards,
Ashish
Attachments
Warning: Attachments received through HackerOne, please exercise caution!