Skip to content

Dos by Exploiting math feature on issue page.

HackerOne report #1350793 by cancerz on 2021-09-24, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Exploiting markdown with math feature supplyng large value result with dos on issue page.

Summary :
the markdown documentation available on docs.gitlab.com

Math  
View this topic in GitLab.

Math written in LaTeX syntax is rendered with KaTeX.

Math written between dollar signs $ is rendered inline with the text. Math written in a code block with the language declared as math is rendered on a separate line:

This math is inline $`a^2+b^2=c^2`$.

This is on a separate line:

```math  
a^2+b^2=c^2

I was trying the dos attack with basic math with this payload:

a^2+b^2=c^2+a^2+b^2=c^2+a^2+b^2=c^2 and more than 1000character.

but nothing impactfull, just error rendering alert.

than i see the math feature is support with inline text by suppling us dollar $ on fron and end $ not just code block,

Steps To Reproduce:
in my testing i use two accounts,
first accounts : administrator page
second accont : attacker.

  1. The administrator create project with visibility public.
    than create issue page,

  2. on attacker tab, open the link issue that was created by first accounts. than comment with normal character to test that the page is fine.
    than send comments with large math payloads. (the payload is available on this attachment).
    after succesfully send comments, reload the page as an attacker.. (if attack succesfully the attacker can't click any button, just stuck on loading)

  3. The administrator open the issue page, reload the browser tab, as an administrator same as attacker can't access everything on issue page, just see the page loading continously.

Impact :
issue page can not opened by any other users.
The dministrator issues can't access option to delete, or edit issue, all option are not accesible, just delete the project to make the issue deleted.

supporting materials:
[DOS.ISSUE.PAGE.mp4] videos for proof-of-concept
[dos.txt] payloads for attack. just copying the payload than paste it on comments and send comments.

This bug happens on GitLab.com

thanks
best regards.

Impact

issue page can not opened by any other users.
The dministrator issues can't access option to delete, or edit issue, all option are not accesible, just delete the project to make the issue clear.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section:

Edited by Costel Maxim