Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #361982
Closed
Open
Issue created May 10, 2022 by GitLab SecurityBot@gitlab-securitybotReporter

DOS via issue preview and markdown preview

HackerOne report #1543718 by legit-security on 2022-04-18, assigned to @kmorrison1:

There were two additional reports by the same team which, since this was imported first, are being treated as duplicates due to sharing the same root cause

  • Unauthed via Markdown Preview API: https://hackerone.com/reports/1544465
  • REDoS via create/update issue: https://hackerone.com/reports/1543606

A fourth report, DoS via moving an issue, has a separate cause and separate issue: DOS via move_issue (#362379 - closed) / https://hackerone.com/reports/1543584

Report | How To Reproduce

Report

Summary

Unauthenticated requests to the markdown preview API /api/v4/markdown and authenticated previewing of an issue with a specially-crafted description results in high CPU usage for 60 seconds (request timeout).

Multiple requests can be issued in parallel to create a larger impact.

Steps to reproduce
  1. Given an authorized user (on GitLab.com - anyone can self-register. On EE - depends on instance configuration).
  2. Create an issue with the following description (provided a one-line python script to avoid bloating):
  3. Hit the preview button.

Steps 2&3 can be accomplished via the preview_markdown API endpoint.

The script:
python -c "print('![l' * int(1048576 / 3 - 1) + '\n')"
Note: this is essentially the maximal description size, but a smaller number of repetitions works too.

Impact

After 60 seconds (timeout) - the request fails.
Meanwhile, on the server end, (a single) CPU is burnt out (verified against a local EE instance).
Issuing multiple requests in parallel results in multiple CPUs burn out.
Using the DockerHub image, the entire server is completely unavailable by repeatedly sending a small number of requests repeatedly.

Examples

The bug is instance-independent, works on latest versions. Since GitLab.com is open-core - it would work on GitLab too.

What is the current bug behavior?

The HTTP request fails for timeout while the server is burning CPU.

On the code side:
texts_and_contexts is being initialized here:

def analyze(text, context = {})  
      [@]texts_and_contexts << { text: text, context: context }  
    end  

It is then used at banzai/reference_extractor.rb:

def html_documents  
      ...  
      [@]html_documents ||= Renderer.cache_collection_render([@]texts_and_contexts)  
      ...  

The CPU utilization is found in the execution of cache_collection_render.

What is the expected correct behavior?

Fix the implementation of cache_collection_render.

Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info

Impact

A complete denial of service of a GitLab EE instance.
As this vulnerability impacts GitLab.com, we assume that this vulnerability opens the door for a DDOS attack.

How To Reproduce

Please add reproducibility information to this section:

Edited May 23, 2022 by Nick Malcolm
Assignee
Assign to
Time tracking