Skip to content

DOS on WIKI pages (Creating uneditable pages)

HackerOne report #815679 by newbiemole on 2020-03-10, assigned to @cmaxim:

Summary

As per the documentation on https://docs.gitlab.com/ee/user/project/wiki/

Create a new page by clicking the New page button that can be found in all wiki pages.
You will be asked to fill in a title for your new wiki page.
You can specify a full path for the wiki page by using ‘/’ in the title to indicate subdirectories. Any missing directories will be created automatically. For example, a title of docs/my-page will create a wiki page with a path /wikis/docs/my-page.

I tried to create a Wiki page without any subdirectories or even a directory.

Steps to reproduce

  1. Create a new WIKI page.
  2. In the title field, fill in dos/../.
  3. For Format, select any of the dropdown list. e.g Markdown
  4. For content anything you like. e.g newbiemole@hackerone.com
    git1.png
  5. Click Create page.

You will be redirected to https://gitlab.com/ruralnet-v3/test/-/wikis/dos/...md.
git2.png

Please check.

Best Regards,

newbiemole

Impact

You will notice that dos path is not created/not existing and the title of the wiki page is unknown.
You will not be able to modify the page since the directory doesn't exist.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!