Denial of Service via `can_create_branch` issue API
Summary
The /issues/{issue_number}/can_create_branch endpoint can enter into a loop where it does thousands of git operations per request. This allows you to easily cause resource exhaustion on the host with a few requests.
I am doing this as a vulnerability disclosure rather than a bug report becuase this directly effects availability and in my eyes has a CVSSv3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Steps to reproduce
- Create a new repository
- Clone the repository
- Point your terminal at the cloned repository
- Create a branch called
1-test - Create branches in the format
1-test-{iteration}, where iteration is between 2 and 1000. - Run
git push --all origin - Optionally go back to step 5 and create another 1000 branches, you can repeat this as many times as you want, you just need to
git push --all originevery 1000 new branches. The amount of branches you create is the amount of git operations ran per request. In my testing I used both 8000 and 10000 succesfully. - Go open a new issue on the repository you created titled
test - Send a GET request to
{gitlab_base_url}/{project_path}/-/issues/1/can_create_branchwith the header_gitlab_session={valid_gitlab_session}, you can close the connection as soon as you have sent the request so request timeouts do not mitigate the issue. I did 6 requests/second in my testing to bring my instance down.
Example Project
I didn't feel comfortable making this on GitLab.com due to it potentially being seen as malicious behaviour, but here is a link to my test instance. There is a script in the main branch that can be used to perform all of the steps, except issue creation, automatically.
http://142.132.178.91/test-namespace/test-repo
What is the current bug behavior?
It enters into a loop and does does a git operation until it finds an unused branch
What is the expected correct behavior?
Not entering into a loop and doing a git operation for each iteration
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
``` root@gitlab-ubuntu-8gb-fsn1-1:~# sudo gitlab-rake gitlab:env:info System information System: Ubuntu 20.04 Current User: git Using RVM: no Ruby Version: 2.7.5p203 Gem Version: 3.1.4 Bundler Version:2.3.15 Rake Version: 13.0.6 Redis Version: 6.2.6 Sidekiq Version:6.4.0 Go Version: unknown GitLab information Version: 15.0.4 Revision: cb0f45a3375 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 13.6 URL: http://142.132.178.91 HTTP Clone URL: http://142.132.178.91/some-group/some-project.git SSH Clone URL: git@142.132.178.91:some-group/some-project.git Using LDAP: no Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 14.3.0 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell ```
Results of GitLab application Check
Expand for output related to the GitLab application check
root@gitlab-ubuntu-8gb-fsn1-1:~# gitlab-rake gitlab:check SANITIZE=true Checking GitLab subtasks ... Checking GitLab Shell ... GitLab Shell: ... GitLab Shell version >= 14.3.0 ? ... OK (14.3.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful Checking GitLab Shell ... Finished Checking Gitaly ... Gitaly: ... default ... OK Checking Gitaly ... Finished Checking Sidekiq ... Sidekiq: ... Running? ... yes Number of Sidekiq processes (cluster/worker) ... 1/1 Checking Sidekiq ... Finished Checking Incoming Email ... Incoming Email: ... Reply by email is disabled in config/gitlab.yml Checking Incoming Email ... Finished Checking LDAP ... LDAP: ... LDAP is disabled in config/gitlab.yml Checking LDAP ... Finished Checking GitLab App ... Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet) Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units) Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units) Projects have namespace: ... 2/1 ... yes 4/3 ... yes Redis version >= 5.0.0? ... yes Ruby version >= 2.7.2 ? ... yes (2.7.5) Git user has default SSH configuration? ... yes Active users: ... 1 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes Checking GitLab App ... Finished Checking GitLab subtasks ... Finished
Possible fixes
You could use a different method of generating a unqiue branch name for the issue rather than iterating through branches until you find an unused one.