Use gitlab servers to spam huge emails
HackerOne report #1009040 by yvvdwf
on 2020-10-15, assigned to @rchan-gitlab:
Report
Each project setting has Emails on push service integration. The service allows to email the commits and diff of each push to a list of recipients.
The problem is that there are no verification, neither limitation about the recipients.
Attackers may use this feature to spam (or promote their projects as reported in 25994).
Furthermore I strongly belive that attackers may cause DoS on gitlab servers when using a huge list of recipients since there are no limitation of recipients' size.
Indeed the emails are sending by app/workers/emails_on_push_worker.rb:
valid_recipients(recipients).each do |recipient|
send_email(
recipient,
project_id,
author_id: author_id,
ref: ref,
action: action,
compare: compare,
reverse_compare: reverse_compare,
diff_refs: diff_refs,
send_from_committer_email: send_from_committer_email,
disable_diffs: disable_diffs
)
valid_recipients
function does nothing but split the recipients by space:
def valid_recipients(recipients)
recipients.split.select do |recipient|
recipient.include?('@')
end
end
Steps to reproduce
- Create a new project or use the one existing, then goto Settings/Integarations/Emails on push
- Check on Active, Push, Tag Push
- Enter a huge list of emails into Recipients textbox. Separate emails by space
- Hit Test Settings
Gitlab will send emails to all emails in the recipients' list.
I've not tested on gitlab.com but on my local installation using google mail to send emails.
Fortunately, google detected spaming and stoped sending emails after sending some.
Impact
- Allow attackers to use gitlab servers to spam email or promote their projects
- Cause DoS on gitlab servers
What is the current bug behavior?
Number of emails in the recipients is not limited
What is the expected correct behavior?
Number of emails in the recipients should be limited
Output of checks
Results of GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info
)
System information
System: Ubuntu 18.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.6.6p146
Gem Version: 2.7.10
Bundler Version:1.17.3
Rake Version: 12.3.3
Redis Version: 5.0.9
Git Version: 2.27.0
Sidekiq Version:5.2.9
Go Version: unknown
GitLab information
Version: 13.4.1-ee
Revision: 4b9c8135cd9
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 11.9
URL: http://gl.local
HTTP Clone URL: http://gl.local/some-group/some-project.git
SSH Clone URL: git@gl.local:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 13.7.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Impact
- Allow attackers to use gitlab servers to spam email or promote their projects
- Cause DoS on gitlab servers
How To Reproduce
Please add reproducibility information to this section: