show.html.haml
code Severe
Cross-Site Scripting
Discovered 9 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Medium

Problem

Unsafe parameter value in link_to href

Location

app/views/users/show.html.haml:84

link_to(find_routable!(User, params[:username]).short_website_url, find_routable!(User, params[:username]).full_website_url, :class => "text-link", :target => "_blank", :rel => "me noopener noreferrer nofollow", :itemprop => "url")

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/users/show.html.haml or mark it as false positive.

prometheus_api_proxy.rb
code Severe
Mass Assignment
Discovered 9 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Medium

Problem

Parameters should be whitelisted for mass assignment

Location

app/controllers/concerns/metrics/dashboard/prometheus_api_proxy.rb:43

params.permit!

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/concerns/metrics/dashboard/prometheus_api_proxy.rb or mark it as false positive.

alert.rb
code Severe
Denial of Service
Discovered 9 months ago
Source: static code analysis
Category: Denial of Service
Confidence level: Medium

Problem

Model attribute used in regex

Location

app/models/alert_management/alert.rb:194

/
        (#{Project.reference_pattern})?
        #{Regexp.escape(reference_prefix)}(?<alert>\d+)
      /x

Category description: Denial of Service is any attack which causes a service to become unavailable for legitimate clients.

Solution: fix the issue in app/models/alert_management/alert.rb or mark it as false positive.

CVE-2020-8264
actionpack Moderate
Cross-Site Scripting
Discovered 9 months ago
Published 10 months ago
Category: Cross-Site Scripting
Severity: Moderate

There is a possible XSS vulnerability in Action Pack while the application server is in development mode. This vulnerability is in the Actionable Exceptions middleware. This vulnerability has been assigned the CVE identifier CVE-2020-8264.

Versions Affected: >= 6.0.0 Not affected: < 6.0.0 Fixed Versions: 6.0.3.4

Impact

When an application is running in development mode, and attacker can send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application.

Workarounds

Until such time as the patch can be applied, application developers should disable the Actionable Exceptions middleware in their development environment via a line such as this one in their config/environment/development.rb:

config.middleware.delete ActionDispatch::ActionableExceptions

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 6.0.3.4

Unaffected Versions

< 6.0.0

References

n/a

show.html.haml
code Moderate
Cross-Site Scripting
Discovered 9 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/admin/projects/show.html.haml:166

(_("This repository was last checked %{last_check_timestamp}. The check %{strong_start}failed.%{strong_end} See the 'repocheck.log' file for error messages.") % { :last_check_timestamp => Project.find_by_full_path([params[:namespace_id], "/", params[:id]].join("")).last_repository_check_at.to_s(:medium), :strong_start => "<strong class='cred'>", :strong_end => "</strong>" })

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/admin/projects/show.html.haml or mark it as false positive.

processable.rb
code Moderate
SQL Injection
Discovered 9 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Weak

Problem

Possible SQL injection

Location

app/models/ci/processable.rb:41

where(:scheduling_type => nil).update_all("scheduling_type = CASE WHEN (EXISTS (#{Ci::BuildNeed.scoped_build.select(1).to_sql}))\n         THEN #{scheduling_types[:dag]}\n         ELSE #{scheduling_types[:stage]}\n         END")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/ci/processable.rb or mark it as false positive.

_form.html.haml
code Moderate
Dynamic Render Path
Discovered 9 months ago
Source: static code analysis
Category: Dynamic Render Path
Confidence level: Weak

Problem

Render path contains parameter value

Location

app/views/projects/services/_form.html.haml:22

render(action => "projects/services/#{find_routable!(Project, File.join(params[:namespace_id], (params[:project_id] or params[:id])), :extra_authorization_proc => (lambda do
 (not project.pending_delete?)
 end)).find_or_initialize_service(params[:id]).to_param}/show", {})

Category description: When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted.

Solution: fix the issue in app/views/projects/services/_form.html.haml or mark it as false positive.

show.html.haml
code Moderate
Dynamic Render Path
Discovered 9 months ago
Source: static code analysis
Category: Dynamic Render Path
Confidence level: Weak

Problem

Render path contains parameter value

Location

app/views/projects/environments/show.html.haml:83

render(action => environment.deployments.order(:id => :desc).page(params[:page]), {})

Category description: When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted.

Solution: fix the issue in app/views/projects/environments/show.html.haml or mark it as false positive.

requests_profiles_controller.rb
code Moderate
File Access
Discovered 9 months ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Parameter value used in file name

Location

app/controllers/admin/requests_profiles_controller.rb:19

send_file(Gitlab::RequestProfiler.find(Rack::Utils.clean_path_info(params[:name])).file_path, :type => ("#{Gitlab::RequestProfiler.find(Rack::Utils.clean_path_info(params[:name])).content_type}; charset=utf-8"), :disposition => "inline")

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/admin/requests_profiles_controller.rb or mark it as false positive.

_content.html.haml
code Moderate
Cross-Site Scripting
Discovered 9 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped parameter value

Location

app/views/shared/hook_logs/_content.html.haml:44

hook.web_hook_logs.find(params[:id]).response_body

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/shared/hook_logs/_content.html.haml or mark it as false positive.

_current_user_dropdown.html.haml
code Moderate
Cross-Site Scripting
Discovered 9 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/layouts/header/_current_user_dropdown.html.haml:13

current_user.status.message_html

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/layouts/header/_current_user_dropdown.html.haml or mark it as false positive.

help_controller.rb
code Moderate
File Access
Discovered 9 months ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Parameter value used in file name

Location

app/controllers/help_controller.rb:43

send_file(File.join(Rails.root, "doc", "#{Rack::Utils.clean_path_info(path_params[:path])}.#{params[:format]}"), :disposition => "inline")

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/help_controller.rb or mark it as false positive.

project.rb
code Moderate
SQL Injection
Discovered 9 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Weak

Problem

Possible SQL injection

Location

app/models/project.rb:2476

environments.where("name LIKE (#{::Gitlab::SQL::Glob.to_like(::Gitlab::SQL::Glob.q(scope))})")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/project.rb or mark it as false positive.

_widget.html.haml
code Moderate
Cross-Site Scripting
Discovered 9 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped parameter value

Location

app/views/projects/merge_requests/_widget.html.haml:4

serialize_issuable(merge_request_includes(find_routable!(Project, File.join(params[:namespace_id], (params[:project_id] or params[:id])), :extra_authorization_proc => (lambda do
 (not project.pending_delete?)
 end)).merge_requests).find_by_iid!(params[:id]), :serializer => "widget", :issues_links => true)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/projects/merge_requests/_widget.html.haml or mark it as false positive.

_form.html.haml
code Moderate
Dynamic Render Path
Discovered 9 months ago
Source: static code analysis
Category: Dynamic Render Path
Confidence level: Weak

Problem

Render path contains parameter value

Location

app/views/projects/services/_form.html.haml:2

render(action => "projects/services/#{find_routable!(Project, File.join(params[:namespace_id], (params[:project_id] or params[:id])), :extra_authorization_proc => (lambda do
 (not project.pending_delete?)
 end)).find_or_initialize_service(params[:id]).to_param}/top", {})

Category description: When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted.

Solution: fix the issue in app/views/projects/services/_form.html.haml or mark it as false positive.

index.html.haml
code Moderate
Dynamic Render Path
Discovered 9 months ago
Source: static code analysis
Category: Dynamic Render Path
Confidence level: Weak

Problem

Render path contains parameter value

Location

app/views/admin/groups/index.html.haml:16

render(action => groups.sort_by_attribute(@sort = params[:sort]).search(params[:name]).page(params[:page]), {})

Category description: When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted.

Solution: fix the issue in app/views/admin/groups/index.html.haml or mark it as false positive.

event_collection.rb
code Moderate
SQL Injection
Discovered 9 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Weak

Problem

Possible SQL injection

Location

app/models/event_collection.rb:63

filtered_events.limit(limit_for_join_lateral).where("events.#{parent_column} = parents_for_lateral.id")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/event_collection.rb or mark it as false positive.

index.html.haml
code Moderate
Dynamic Render Path
Discovered 9 months ago
Source: static code analysis
Category: Dynamic Render Path
Confidence level: Weak

Problem

Render path contains parameter value

Location

app/views/admin/abuse_reports/index.html.haml:26

render(action => AbuseReportsFinder.new(params).execute, {})

Category description: When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted.

Solution: fix the issue in app/views/admin/abuse_reports/index.html.haml or mark it as false positive.

_general.html.haml
code Moderate
Cross-Site Scripting
Discovered 9 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped parameter value

Location

app/views/sherlock/queries/_general.html.haml:39

highlight("#{Gitlab::Sherlock.collection.find_transaction(params[:transaction_id]).find_query(params[:id]).id}.sql", Gitlab::Sherlock.collection.find_transaction(params[:transaction_id]).find_query(params[:id]).formatted_query, :language => "sql")

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/sherlock/queries/_general.html.haml or mark it as false positive.

show.html.haml
code Moderate
Dynamic Render Path
Discovered 9 months ago
Source: static code analysis
Category: Dynamic Render Path
Confidence level: Weak

Problem

Render path contains parameter value

Location

app/views/projects/settings/repository/show.html.haml:16

render(action => DeployKeysPresenter.new(find_routable!(Project, File.join(params[:namespace_id], (params[:project_id] or params[:id])), :extra_authorization_proc => (lambda do
 (not project.pending_delete?)
 end)), :current_user => current_user), {})

Category description: When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted.

Solution: fix the issue in app/views/projects/settings/repository/show.html.haml or mark it as false positive.

relative_positioning.rb
code Moderate
SQL Injection
Discovered 9 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Weak

Problem

Possible SQL injection

Location

app/models/concerns/relative_positioning.rb:174

relation.where(:relative_position => range).update_all("relative_position = relative_position + #{delta}")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/concerns/relative_positioning.rb or mark it as false positive.

user.rb
code Moderate
SQL Injection
Discovered 9 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Weak

Problem

Possible SQL injection

Location

app/models/user.rb:976

project_authorizations.select(1).where("project_authorizations.project_id = #{related_project_column}")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/user.rb or mark it as false positive.

show.html.haml
code Moderate
Dynamic Render Path
Discovered 9 months ago
Source: static code analysis
Category: Dynamic Render Path
Confidence level: Weak

Problem

Render path contains parameter value

Location

app/views/projects/show.html.haml:26

render(action => find_routable!(Project, File.join(params[:namespace_id], (params[:project_id] or params[:id])), :extra_authorization_proc => (lambda do
 (not project.pending_delete?)
 end)).default_view, { :is_project_overview => true })

Category description: When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted.

Solution: fix the issue in app/views/projects/show.html.haml or mark it as false positive.

issuable.rb
code Moderate
SQL Injection
Discovered 9 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Weak

Problem

Possible SQL injection

Location

app/models/concerns/issuable.rb:331

joins(:labels).where(:labels => ({ :title => title })).group(*grouping_columns(sort)).having("COUNT(DISTINCT labels.title) = #{title.size}")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/concerns/issuable.rb or mark it as false positive.

_content.html.haml
code Moderate
Cross-Site Scripting
Discovered 9 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped parameter value

Location

app/views/shared/hook_logs/_content.html.haml:34

Gitlab::Json.pretty_generate(hook.web_hook_logs.find(params[:id]).request_data)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/shared/hook_logs/_content.html.haml or mark it as false positive.

show.html.haml
code Moderate
Cross-Site Scripting
Discovered 9 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/admin/projects/show.html.haml:22

(_("Last repository check (%{last_check_timestamp}) failed. See the 'repocheck.log' file for error messages.") % { :last_check_timestamp => time_ago_with_tooltip(Project.find_by_full_path([params[:namespace_id], "/", params[:id]].join("")).last_repository_check_at) })

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/admin/projects/show.html.haml or mark it as false positive.

index.html.haml
code Moderate
Dynamic Render Path
Discovered 9 months ago
Source: static code analysis
Category: Dynamic Render Path
Confidence level: Weak

Problem

Render path contains parameter value

Location

app/views/dashboard/todos/index.html.haml:90

render(action => TodosFinder.new(current_user, todo_params).execute.page(params[:page]).with_entity_associations, {})

Category description: When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted.

Solution: fix the issue in app/views/dashboard/todos/index.html.haml or mark it as false positive.