All functions that allow users to specify color code are vulnerable to ReDoS
HackerOne report #511381 by 8ayac
on 2019-03-17, assigned to hackerjuan
:
Summary:
Invalid color code leads to DoS.
Description:
GitLab has some functions that allow users to specify color code. (e.g.: Labels/Broadcast Messages)
All those functions are vulnerable to ReDoS.
It seems that there is a problem with the regex in app\validators\color_validator.rb to validate a specified color code.
An attacker can exhaust the server's CPU with this vulnerability, and cause a continuous DoS.
Steps To Reproduce:
- Create a project.
- Go to
http(s)://{GitLab Host}/{userid}/{Project Name}/labels/new
. - Fill out
Title
form withPoC
. - Click
Create label
button. - Intercept the request.
- Change the value of the parameter of
label%5Bcolor%5D
to#0...(50000 times)c0ffee
. - Forward the request.
Result: Can not access to GitLab service. (CPU usage rate of the server had risen to over 90%.)
Note: If the attacker sends requests continuously, DoS will be continuous.
Supporting Material/References:
Regular expression Denial of Service - ReDoS - OWASP
Impact
All users will not be able to access the entire GitLab service.
Links
Issue on dev: https://dev.gitlab.org/gitlab/gitlabhq/issues/2858