DoS on the Issue page by exploiting Mermaid.
HackerOne report #470067 by 8ayac
on 2018-12-19:
Summary: An attacker could exploit Mermaid available in Markdown and cause DoS.
Description: Markdown supported by GitLab can generate diagrams and flowcharts from text using Mermaid. An Attacker can exploit this function to prevent users from successfully accessing some functions. For example, you can use Markdown in Issue's comment. Therefore, DoS can be caused by all users who can comment on that Issue.
Steps To Reproduce:
[Preparation]
- Create a new public Project.
- Create an Issue in the Project created in step 1.
- Add some comments to the Project created in step 2.
[Attack Flow]
- Go to the Issue page created in preparation step 2.
- Copy the payload. (payload is attached file.)
- Paste the payload on the comment input form.
- Submit the comment.
Result: Since the screen freezes, the user can not access details of the Issue. In addition, the user can not take any additional action on that Issue.
NOTE: Similar attacks are effective for all functions that can use Markdown.
Supporting Material/References:
- payload.txt
- poc.mp4
Impact
- All users will not be able to access Issue details.
- All users can not take additional actions for the Issue.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!