ReDoS in markup page
HackerOne report #1213328 by yvvdwf
on 2021-05-31, assigned to @dcouture:
Report
Markup pages ending by .wiki
or .mediawiki
are vulnerable to Regular expression Denial of Service.
Steps to reproduce
- In an existing project or create a new one, then add a new file ending by
.wiki
, such as,redos.wiki
with the following content:
==<!-- ==
- Save, then view the file on gitlab in "Display rendered file" mode that is by default when viewing a markup file.
- The CPU server is 100% performance
Impact
By creating multiple redos files may cause dos on the gitlab server.
What is the current bug behavior?
A regex in WikiCloth that is used to remove comments is vulnerable to redos:
data.gsub!(/<!--(.|\s)*?-->/,""
Output of checks
I've tested on my own instance of gitlab
Results of GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info
)
System information
System: Ubuntu 18.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.7.2p137
Gem Version: 3.1.4
Bundler Version:2.1.4
Rake Version: 13.0.3
Redis Version: 6.0.10
Git Version: 2.29.0
Sidekiq Version:5.2.9
Go Version: go1.10.4 linux/amd64
GitLab information
Version: 13.10.3-ee
Revision: db2e358dba4
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 12.6
URL: http://gl.local
HTTP Clone URL: http://gl.local/some-group/some-project.git
SSH Clone URL: git@gl.local:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 13.17.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Impact
Cause deny of service at the server side
How To Reproduce
Please add reproducibility information to this section: