show.html.haml
code Severe
Cross-Site Scripting
Discovered 7 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Medium

Problem

Unsafe model attribute in link_to href

Location

app/views/profiles/two_factor_auths/show.html.haml:112

link_to(_("Delete"), (@webauthn_registration or U2fRegistration.register(current_user, u2f_app_id, device_registration_params, session[:challenges]))[:delete_path], :method => :delete, :class => "gl-button btn btn-danger float-right", :data => ({ :confirm => _("Are you sure you want to delete this device? This action cannot be undone.") }))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/profiles/two_factor_auths/show.html.haml or mark it as false positive.

show.html.haml
code Severe
Cross-Site Scripting
Discovered 7 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Medium

Problem

Unsafe model attribute in link_to href

Location

app/views/invites/show.html.haml:12

link_to(({ :name => Project.full_name, :url => project_url(Project), :title => _("project"), :path => project_path(Project) } or { :name => Group.name, :url => group_url(Group), :title => _("group"), :path => group_path(Group) })[:name], ({ :name => Project.full_name, :url => project_url(Project), :title => _("project"), :path => project_path(Project) } or { :name => Group.name, :url => group_url(Group), :title => _("group"), :path => group_path(Group) })[:url])

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/invites/show.html.haml or mark it as false positive.

_general.html.haml
code Severe
Cross-Site Scripting
Discovered 7 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Medium

Problem

Unsafe parameter value in link_to href

Location

app/views/sherlock/queries/_general.html.haml:19

link_to(Gitlab::Sherlock.collection.find_transaction(params[:transaction_id]).find_query(params[:id]).last_application_frame.path, BetterErrors.editor[Gitlab::Sherlock.collection.find_transaction(params[:transaction_id]).find_query(params[:id]).last_application_frame.path, Gitlab::Sherlock.collection.find_transaction(params[:transaction_id]).find_query(params[:id]).last_application_frame.line])

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/sherlock/queries/_general.html.haml or mark it as false positive.

show.html.haml
code Severe
Cross-Site Scripting
Discovered 7 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Medium

Problem

Unsafe parameter value in link_to href

Location

app/views/users/show.html.haml:84

link_to(find_routable!(User, params[:username]).short_website_url, find_routable!(User, params[:username]).full_website_url, :class => "text-link", :target => "_blank", :rel => "me noopener noreferrer nofollow", :itemprop => "url")

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/users/show.html.haml or mark it as false positive.

unsubscribe.html.haml
code Severe
Cross-Site Scripting
Discovered 7 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Medium

Problem

Unsafe model attribute in link_to href

Location

app/views/sent_notifications/unsubscribe.html.haml:13

link_to(("#{SentNotification.for(params[:id]).noteable.title} (#{SentNotification.for(params[:id]).noteable.to_reference})" or "#{SentNotification.for(params[:id]).noteable.to_reference}"), (url_for([SentNotification.for(params[:id]).project, SentNotification.for(params[:id]).noteable]) or breadcrumb_title_link))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/sent_notifications/unsubscribe.html.haml or mark it as false positive.

CVE-2020-8264
actionpack Moderate
Cross-Site Scripting
Discovered 7 months ago
Published 8 months ago
Category: Cross-Site Scripting
Severity: Moderate

There is a possible XSS vulnerability in Action Pack while the application server is in development mode. This vulnerability is in the Actionable Exceptions middleware. This vulnerability has been assigned the CVE identifier CVE-2020-8264.

Versions Affected: >= 6.0.0 Not affected: < 6.0.0 Fixed Versions: 6.0.3.4

Impact

When an application is running in development mode, and attacker can send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application.

Workarounds

Until such time as the patch can be applied, application developers should disable the Actionable Exceptions middleware in their development environment via a line such as this one in their config/environment/development.rb:

config.middleware.delete ActionDispatch::ActionableExceptions

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 6.0.3.4

Unaffected Versions

< 6.0.0

References

n/a

_content.html.haml
code Moderate
Cross-Site Scripting
Discovered 7 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped parameter value

Location

app/views/shared/hook_logs/_content.html.haml:44

hook.web_hook_logs.find(params[:id]).response_body

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/shared/hook_logs/_content.html.haml or mark it as false positive.

_widget.html.haml
code Moderate
Cross-Site Scripting
Discovered 7 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped parameter value

Location

app/views/projects/merge_requests/_widget.html.haml:4

serialize_issuable(merge_request_includes(find_routable!(Project, File.join(params[:namespace_id], (params[:project_id] or params[:id])), :extra_authorization_proc => (lambda do
 (not project.pending_delete?)
 end)).merge_requests).find_by_iid!(params[:id]), :serializer => "widget", :issues_links => true)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/projects/merge_requests/_widget.html.haml or mark it as false positive.

_general.html.haml
code Moderate
Cross-Site Scripting
Discovered 7 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped parameter value

Location

app/views/sherlock/queries/_general.html.haml:39

highlight("#{Gitlab::Sherlock.collection.find_transaction(params[:transaction_id]).find_query(params[:id]).id}.sql", Gitlab::Sherlock.collection.find_transaction(params[:transaction_id]).find_query(params[:id]).formatted_query, :language => "sql")

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/sherlock/queries/_general.html.haml or mark it as false positive.

_content.html.haml
code Moderate
Cross-Site Scripting
Discovered 7 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped parameter value

Location

app/views/shared/hook_logs/_content.html.haml:34

Gitlab::Json.pretty_generate(hook.web_hook_logs.find(params[:id]).request_data)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/shared/hook_logs/_content.html.haml or mark it as false positive.

show.html.haml
code Moderate
Cross-Site Scripting
Discovered 7 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/admin/projects/show.html.haml:166

(_("This repository was last checked %{last_check_timestamp}. The check %{strong_start}failed.%{strong_end} See the 'repocheck.log' file for error messages.") % { :last_check_timestamp => Project.find_by_full_path([params[:namespace_id], "/", params[:id]].join("")).last_repository_check_at.to_s(:medium), :strong_start => "<strong class='cred'>", :strong_end => "</strong>" })

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/admin/projects/show.html.haml or mark it as false positive.

_current_user_dropdown.html.haml
code Moderate
Cross-Site Scripting
Discovered 7 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/layouts/header/_current_user_dropdown.html.haml:13

current_user.status.message_html

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/layouts/header/_current_user_dropdown.html.haml or mark it as false positive.

show.html.haml
code Moderate
Cross-Site Scripting
Discovered 7 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/admin/projects/show.html.haml:22

(_("Last repository check (%{last_check_timestamp}) failed. See the 'repocheck.log' file for error messages.") % { :last_check_timestamp => time_ago_with_tooltip(Project.find_by_full_path([params[:namespace_id], "/", params[:id]].join("")).last_repository_check_at) })

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/admin/projects/show.html.haml or mark it as false positive.