DOS via Gantt diagrams Mermaid

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2103067 by toukakirishima on 2023-08-09, assigned to @nmalcolm:

Report | Attachments | How To Reproduce

Report

Summary

Summary
I found a DOS vulnerability when add comment with Gantt diagrams Mermaid, as an attacker I can make DoS in any section with comments (Issues, Merge requests, Milestones, Snippets, Wiki pages, Markdown documents inside repositories, Epics). Due to the year timeline that must be loaded up to several thousand years in the future, attackers can create DOS with Gantt diagrams Mermaid.

Steps to reproduce

1. Create comment with Gantt diagrams Mermaid (example on Issue)

Payload: (updated by nmalcolm)

```mermaid 
gantt
    title A Gantt Diagram
    dateFormat  YYYYY-MM-DD

    section Section
    A task           :a1, 99999-12-31,30d
    Another task     :a2, 00000-01-01, 25d
    Another one      :a3, 10000-12-31, 20d
```

2. Reload the page. And you will load the page very long.

POC

bandicam_2023-08-09_17-48-00-090.mp4

URL for Tested

toukaattacker/aaa#3

What is the current bug behavior?

Due to the year timeframe/timeline that must be loaded up to several thousand years in the future, attackers can create DOS with Gantt diagrams Mermaid.

What is the expected correct behavior?

Renders a maximum of 1-3 years of timeframe/timeline.

Output of checks

This bug happens on GitLab.com

Impact

Attacker can make DoS in any section with comments (Issues, Merge requests, Milestones, Snippets, Wiki pages, Markdown documents inside repositories, Epics).

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• image.png
• image.png
• bandicam_2023-08-09_17-48-00-090.mp4

How To Reproduce

Please add reproducibility information to this section: