Persistent XSS on public wiki pages

# Details There's a persistent cross-site scripting (XSS) vulnerability in the wiki pages. This can lead to an account take over via the leaked API token. # Proof of concept As an attacker, create a new public repository. Make sure you have a client that is allowed to push to that repository. For this PoC, lets say the repository is located at `[email protected]/dummy/test.git`. On the client, execute the following commands: git clone [email protected]/dummy/test.git cd test echo "<script>alert('Hello world!');</script>" > index.html git add index.html git commit -m "This message is super important" git push Now go to https://gitlab.com/dummy/test/wikis/index.html. As you will see, this executes the JavaScript that is stored in the file. {F91538} # Impact GitLab doesn't have a content security policy, which means that clients allow inline Javascript to be executed. This gives access to the current user its API token. The API token can be used to access the user its projects, do actions as the user, give access to potential confidential information, etc.