/zoom quick action to create Linked resources in an Incident causing infinite loop of attempted creations.
Summary
I may have uncovered a potential denial of service issue in GitLab Issues/Incidents. I'm not 100% on the conditions, but it appears if you try to create an issue or incident that includes quick actions and /zoom
is used, but is not the last quick action (or perhaps last line at all) it gets hung in a loop creating infinite zoom linked resources. Attempting edit the description appears to fail and adding a new comment even without another /zoom action triggers another loop of attempts to add that resource by the user that made the comment.
SIRT discovered this using the following block when creating a test incident. We did this in our namespace on gitlab.com
and it appears that the zoom integration requires Premium and some feature flags set. We had to delete the issues in order to get them to stop infinitely adding zoom resources (though in the issue it caps out at 100).
Steps to reproduce
- Create or go to a project where you have Reporter+ privileges
- Create an incident with the following description (minus the backticks):
/zoom https://zoom.us/j/123456789
/label ~incident
/severity 3
What is the current bug behavior?
- Infinite zoom links are added to the Linked resources. It caps out at 100, but the activity log shows endless additions.
- Another user commenting causes the links to switch to being be added by that user, but it never actually posts their comment and their comment does not need to have
/zoom
in it.
Screenshots
Excessive resource consumption (CPU):
100 linked resources:
Flipflopping user being attributed to the action when another user makes a comment during the bug's execution (even though Vic Tim
was the only user to use the Zoom quick action)
What is the expected correct behavior?
A single Zoom link added to the Linked resources
Relevant logs and/or screenshots
We had to delete the incidents to stop the storm, but I'm sure there are logs associated with projects https://gitlab.com/gitlab-sirt/shared-incidents/incident_4217
and https://gitlab.com/gitlab-sirt/confidential-incidents/incident_4216
Output of checks
This bug happens on GitLab.com
Possible fixes
Fix hint: Ensuring /zoom
link is the last action prevents this from happening.