GitLab omnibus DoS crash via OOM with CI Catalogs
Steps to reproduce
On a self-hosted instance:
- create a new repository,
- git clone https://gitlab.com/emoji-ops/gitlab-ci and push it to the new repository (master was b4cb8e996e03cd when this happened)
- create a branch
- edit .gitlab-ci.yml and change CI_PROJECT_PATH for CI_CATALOG_PATH (which isn't set and doesn't exist.)
- commit
- push to repository.
- go to Run Pipeline UI,
- click run.
- memory usage will go up until OOM>
Impact
Denial of service because gitlab omnibus will crash
What is the expected correct behavior?
No crash.
Results of GitLab environment info
$ sudo gitlab-rake gitlab:env:info
System information
System: Debian 11
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 3.0.6p216
Gem Version: 3.4.19
Bundler Version:2.4.19
Rake Version: 13.0.6
Redis Version: 7.0.13
Sidekiq Version:6.5.7
Go Version: unknown
GitLab information
Version: 16.4.1-ee
Revision: 229bc5f5985
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 13.11
URL: https://gitlab.ateme.net
HTTP Clone URL: https://gitlab.ateme.net/some-group/some-project.git
SSH Clone URL: git@gitlab.ateme.net:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: yes
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 14.28.0
Repository storages:
default: unix:/var/opt/gitlab/gitaly/gitaly.socket GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Gitaly
default Address: unix:/var/opt/gitlab/gitaly/gitaly.socket
default Version: 16.4.1
default Git Version: 2.42.0
Edited by Julien Lecomte