DoS Too long file name causes various impact.

Link:          https://hackerone.com/reports/413117
By:            @8ayac

Details: Summary: I have discovered various impact caused by adding files whose file names are too long to the project, which violates the Availability and Integrity of the system.

Description: Adding a file whose filename is too long to the projects has several impact. Among them, the most interesting thing is deleting a certain file. The target is the file added to the project first.

Steps To Reproduce:

1. Sign in to GitLab.
2. Go to "http(s)://{GitLab host}/projects/new"
3. Fill out "Project name" form with "testProject".
4. Check the check box of "Initialize repository with a README.md".
5. Click "Create project" button.
6. Go to "http(s)://{GitLab host}/{user id}/testProject/new/master".
7. Fill out "File name" form with 'A'*100000 (Generate it with the following command: $ python -c "print('A'*100000')).
8. Click "Commit changes" button.

Result: README.md was deleted from the project.

Supporting Material

I attached a movie.

Impact

The impact is not limited to the above, there are several. Those I have confirmed are as follows:

• Deletion of the certain file from project. (as above)
• Content of the file added in steps 7 to 8 above can not be viewed. (If the file added is not empty.)
• There is no way for the user to delete the added file. (The server returns "414 Request - URI Too Large".)
• The user can't git clone the project.