Denial of service using asciidoctor include::
HackerOne report #2431562 by gudanggaramfilter
on 2024-03-23, assigned to @kmorrison1:
Report | Attachments | How To Reproduce
Report
Summary
User can cause DoS to affect the entire site by using two .adoc files which include each other via include:: directive. Gitlab::Asciidoc::IncludeProcessor
simplest mitigation - prevent all use of the include directive. This may have an adverse impact on existing users, and this number needs to be higher if we want to prevent cyclic imports. I think the main problem is with our particular processor https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/asciidoc/include_processor.rb , specifically with :include_allowed?
Steps to reproduce
- Create a.adoc and b.adoc files in repository (attached to report).
- Open the a.adoc or b.adoc file or endpoint https://gitlab.com/h1-domain-verification-txt/cukurukukngopibang/-/blob/main/b.adoc?format=json&ref_type=heads&viewer=rich
gitlab_badoc.mp4
gitlab_adoc.mp4
Impact
After 60 seconds (timeout) - the request fails. Meanwhile, on the server side, (one) CPU caught fire (verified against instance16.10.0-ce.0-0 and gitlab.com ).
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: