Denial of service via AsciiDoc include:: overuse

HackerOne report #712622 by kgadyrka on 2019-10-12, assigned to @ankelly:

Summary

User can cause DoS affecting whole site by using two .adoc files which include each other via include:: directive.

Steps to reproduce

1. Create a.adoc and b.adoc files in repository (attached to report).
2. Open a.adoc file (/<username>/<project>/blob/master/a.adoc). It may be required to duplicate browser tab several times to cause DoS on more performant hardware.

Impact

CPU load increase up to 100% making service unavailable for all users.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• a.adoc
• b.adoc