Regex DOS in the Submodule Url Parser
HackerOne report #1727201 by mokusou on 2022-10-08, assigned to @cmaxim:
Report | Attachments | How To Reproduce
Report
Summary
An attacker is able to DoS an instance of GitLab by exploiting a regex issue in the submodule URL parser.
The root cause:
https://gitlab.com/gitlab-org/gitlab/-/blob/d78a491f7503537c48532f8e7c086464f64c7698/app/helpers/submodule_helper.rb#L20
if url =~ %r{([^/:]+)/([^/]+(?:\.git)?)\Z} The regex in the above file, line20 causes re-DoS when receiving a value such as aaaaaa....aaaaaaaaaaaaaaaaa/a/
Steps to reproduce
- Create your own instance and a normal-privileged (non-admin) user as an attacker.
- As the normal user you just created, make two projects(Let's name them project A and B), and attach the project B project to the Project A as a submodule. One way to do this is to run the following command in a local branch of project A:
git submodule add https://gl.ryotak.me/Mokusou/submodule-for-redos-poc(Replace this URL with URL of project B) submodule-redos( please usesubmodule-redosand not other names to use the PoC file in step3 without any modification) - Once you complete step2, now you should have a file named ".gitmodules" in your local branch of project A. Replace the file with the following file;
- Push the change you have made in steps 2 and 3 to your instance.
- Visit the following URL, but with your own domain name instead of
gl.ryotak.me; https://gl.ryotak.me/-/graphql-explorer. - SSH to your server and run
htopto check the CPU usage, and then send the following query with your main project name in the full path parameter via the GraphQL UI in step6. Once you hit thesendbutton multiple time, you should see that CPU usage goes to 100%
query {
project(fullPath:"Mokusou/poc-for-redos") {
repository{
tree{
submodules{
nodes{
id
webUrl
treeUrl
flatPath
}
}
}
}
}
}- Visit your instance (https://gl.ryotak.me/ in my case) from a web browser, and see the bad gateway timeout
Impact
An attacker can make a server down and inaccessible (HTTP response 502) by sending multiple GraphQL requests with about 3-million-characters payload. Please also refer to the attached video PoC for the actual simulation.
What is the current bug behavior?
DoS the instance. Please see the attached video PoC for more details.
What is the expected correct behavior?
A timeout should be set for the above-mentioned Regex to avoid DoS.
Relevant logs and/or screenshots
Results of GitLab environment info
ubuntu@i-12100000422677:~$ sudo gitlab-rake gitlab:env:info
System information
System: Ubuntu 20.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.7.5p203
Gem Version: 3.1.6
Bundler Version:2.3.15
Rake Version: 13.0.6
Redis Version: 6.2.7
Sidekiq Version:6.4.2
Go Version: unknown
GitLab information
Version: 15.4.1-ee
Revision: 7b2ed8f038f
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 13.6
URL: https://gl.ryotak.me
HTTP Clone URL: https://gl.ryotak.me/some-group/some-project.git
SSH Clone URL: git@gl.ryotak.me:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 14.10.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Impact
An attacker can make a server down and inaccessible (HTTP response 502) by sending multiple GraphQL requests with about 3-million-characters payload. Please also refer to the attached video PoC for the actual simulation.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: