Uncontrolled Resource Consumption in any Markdown field using Mermaid
HackerOne report #990461 by misha98857
on 2020-09-24, assigned to @kaunghtet:
Report
Summary
I found a bypass for the mitigation of DoS via Mermaid (CVE-2019-9220) and DoS via Mermaid (CVE-2019-15584)
As the mitigation for CVE-2019-9220, the input limit of 5000 characters is currently applied to a Mermaid code block, but it can be bypassed by simply splitting the longer payload to many little code blocks.
Steps to reproduce
- Sign in to GitLab.
- Open any page where you can input Markdown text using Mermaid into the form.
- Copy and paste the contents of the attached file ("poc.txt") to the input form.
- Save the Markdown text on the page you opened. (For example, click "Comment" on "Issue" page or save "Readme.md" file)
- Page freeze and no working, chrome task manager demonstrate 100% cpu usage for long time.
What is the current bug behavior?
When rendering of the Mermaid graphs starts, the browser tab displaying the page freezes.
This behavior prevents browsing and editing the page that have been added the Mermaid graphs.
Also, the resources used by the browser tab will increase as rendering continues. In the worst case, the entire browser also freezes or crashes. My browser can load first graphs, but after first view get infinity load other graphs.
What is the expected correct behavior?
We need a mechanism to stop rendering in advance by detecting if the user's input contains a large number of Mermaid code blocks.
Output of checks
Bug tested on readme.md file markdown and issue comments
Browser for testing Version 85.0.4183.102 (Official Build) Arch Linux (64-bit)
Impact
This vulnerability is effective not only on Issue or Readme.md pages but also on all pages using Markdown with Mermaid.
The following impacts exist on the attacked page:
- All users can not view the attacked page. (In some situations, the users may see incomplete rendering of the attacked page, but the user's viewing is still significantly blocked.)
- All users can not take any action on the attacked page.
- Depending on the user's environment, crashing or freezing the entire browser may cause user data being edited to be lost.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!