Crafted Markdown payload leads to DoS condition

HackerOne report #549523 by near_ on 2019-04-27, assigned to estrike:

Background

GitLab issue #55653 demonstrates an attack in which the Markdown parser can be exploited to achieve a denial-of-service condition. It was possible to achieve a similar outcome with a crafted Markdown payload: [a](javascript:alert(1))

Issue

Proof of concept

1. As an authenticated GitLab.com user, create a new project and Markdown wiki page

2. Update the wiki homepage to contain [a](javascript:alert(1)) and observe that it becomes completely inaccessible, throwing a 500 error (e.g. https://gitlab.com/authnearbbp/example2/wikis/home)

When the same payload is used elsewhere, such as Issue Comments and Web IDE, note that Markdown preview fails to load (similarly throwing a 500 error). I plan to take a quick glance at the logs on a local GitLab EE instance to see what might be going on here but wanted to flag this now as it seems to have been a P2/S2 concern in the past.

Impact

An attacker could render project wikis (and potentially other surfaces where Markdown is parsed) inaccessible, preventing content on these surfaces from being actioned.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• wiki_dos.png