1 comment DoS exploiting Kroki lib
HackerOne report #1305431 by scaramouche31 on 2021-08-14, assigned to @ankelly:
Report
Hello, Gitlab Team! Today I stumbled upon this report: https://hackerone.com/reports/470067. I immediately tried to reproduce this behaviour using the Gitlab Kroki library and... it just works.
Summary
A low privileged attacker can exploit Kroki library to DoS any section with comments (Issues, Merge requests, Milestones, Snippets, Wiki pages, Markdown documents inside repositories, Epics)
Steps to reproduce
- Enable Kroki in your Gitlab build.
On the top bar, select Menu > Admin.
Go to Settings > General.
Expand the Kroki section.
Select Enable Kroki checkbox.
Enter the Kroki URL. It may be a Kroki server on https://kroki.io, but I used my own in a docker container, just run
docker run -d --name kroki -p 8030:8000 yuzutech/kroki
and then specify http://127.0.0.1:8030 (dont forget to add 127.0.0.1 to the whitelist)
- Create a new project, then create an issue in it.
- Insert this payload in the comments section:
. - Reload the page.
DoS!
PoC video:
kazam_w8usv25x.movie.mp4
Fix
The fix should be something like as for the Mermaid and Math in .com edition:
if (
!WHITELISTED_PAGES.includes(pageName) &&
((source && source.length > MAX_CHAR_LIMIT) ||
renderedChars > MAX_CHAR_LIMIT ||
renderedMermaidBlocks >= MAX_MERMAID_BLOCK_LIMIT ||
shouldLazyLoadMermaidBlock(source))
) { raise a warning and dont render } https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/assets/javascripts/behaviors/markdown/render_mermaid.js
https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/assets/javascripts/behaviors/markdown/render_math.js
But the problem is about every lib that Kroki supports: Bytefield, Ditaa, PlantUML, the one I used, and so on, the full list is here:
https://docs.gitlab.com/ee/administration/integration/kroki.html
Output of checks
This bug happens on the local Gitlab version.
P.s.
This bug doesnt fall under Timeout limits, because the DoS is caused using only 1 comment:
Size/Length limits (e.g. not able to add more than 2MB per Redis entry) - the payload weights only 0.1 Mb
Count limits (e.g. not more than X comments per issue) - you need only 1 comment
Call/time limits (e.g. User can only do 1000 API calls per 10 minutes) - you dont need any API calls
Complexity limits (e.g. 1000 calls to endpoint X compared to 1000 calls to endpoint Y can be totally different) - you need only 1 call to the comment create endpoint
Max result limit (e.g. Only return max 1000 results and say refine your search) - you dont need to search for anything
Results of GitLab environment info
scara@scara:~$ sudo gitlab-rake gitlab:env:info
System information
System: Ubuntu 20.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.7.2p137
Gem Version: 3.1.4
Bundler Version:2.1.4
Rake Version: 13.0.3
Redis Version: 6.0.14
Git Version: 2.32.0
Sidekiq Version:5.2.9
Go Version: unknown
GitLab information
Version: 14.1.2-ee
Revision: 0bf9b154ab4
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 12.6
URL: http://gitlab.local
HTTP Clone URL: http://gitlab.local/some-group/some-project.git
SSH Clone URL: git@gitlab.local:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 13.19.1
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git Impact
Impact
- Any page with the malicious comment won't work normally anymore (it doesnt load). You can ruin issues, wikis, merges, etc
- Because of the rendering attempt the CPU usage increases dramatically, which is quite serious for companies that run Gitlab on cloud provider's server.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!