Clientside resource Exhausting by exploiting gitlab math rendering
HackerOne report #549040 by abdilahrf_ on 2019-04-26, assigned to hackerjuan:
Summary
based on the documentation gitlab markdown is supporting math expresion rendering using KaTex and able to run subset syntax from LaTex this could be achieved by using 2 ways in the markdown for inline and for multiline.
Steps to reproduce
Step-by-step guide to reproduce the issue, including:
- Pick any repositories that you want to attack
- Create new issue and use payload 1.md or 2.md
- Everyone trying to open the issue will get hang since this generate tons of resources
Or check out this video :
clientside-resource-exhausting.mp4
Impact
Project owner/everyone that trying to view the issue is got hang by the KaTex trying to render nested sqrt function without any limitation and making the owner unable to close the issue.
What is the current bug behavior?
I was able to using nested sqrt and rules function without any limitation and making the website unresponsive
What is the expected correct behavior?
The nested function should be limited using fixed normal amount, and should use maxSize to limit the visual width/height
Output of checks
Remediation
Use maxSize option for preventing large width/height visual affronts, use maxExpand for preventing infinite macro loop attacks, and use allowedProtocols for preventing certain protocols in \href. Please refer to Options for more details. https://katex.org/docs/security.html
Impact
Project owner/everyone that trying to view the issue is got hang by the KaTex trying to render nested sqrt function without any limitation and making the owner unable to close the issue.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!