Skip to content

Denial of service using asciidoctor include::

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2431562 by gudanggaramfilter on 2024-03-23, assigned to @kmorrison1:

Report | Attachments | How To Reproduce

Report

Summary

User can cause DoS to affect the entire site by using two .adoc files which include each other via include:: directive. Gitlab::Asciidoc::IncludeProcessor simplest mitigation - prevent all use of the include directive. This may have an adverse impact on existing users, and this number needs to be higher if we want to prevent cyclic imports. I think the main problem is with our particular processor https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/asciidoc/include_processor.rb , specifically with :include_allowed?

Steps to reproduce
  1. Create a.adoc and b.adoc files in repository (attached to report).
  2. Open the a.adoc or b.adoc file or endpoint https://gitlab.com/h1-domain-verification-txt/cukurukukngopibang/-/blob/main/b.adoc?format=json&ref_type=heads&viewer=rich

gitlab_badoc.mp4
gitlab_adoc.mp4

Impact

After 60 seconds (timeout) - the request fails. Meanwhile, on the server side, (one) CPU caught fire (verified against instance16.10.0-ce.0-0 and gitlab.com ).

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section:

Edited by Kevin Morrison