DoS on wiki page: uneditable pages

HackerOne report #907260 by yvvdwf on 2020-06-24:

Dear team,

I found a similar bug as the one in being reported here with the same impact: once being created, the page cannot be modified or deleted via website's interface.

Steps to reproduce

Create a new wiki page.
In the Title filed, fill ~/test
Content can be anything
Click Create page button

The page being created has the path var/opt/gitlab/test (instead of ~/test). The page cannot be neither modified, nor deleted via web's interface.

Impact

What is the current bug behavior?

The tile character ~ is translated into /var/opt/gitlab

What is the expected correct behavior?

The tile character should not be translated

Output of checks

This bug happens on GitLab.com

Impact

Once being created, the wiki page cannot be neither modified, nor deleted via web's interface.

Todo

Security fix in Gitaly: https://gitlab.com/gitlab-org/security/gitlab/-/issues/207
Fix in upstream gollum-lib gem: https://github.com/gollum/gollum-lib/pull/385
Fix in forked gitlab-gollum-lib gem

Edited Oct 06, 2020 by Markus Koller