DOS via move_issue (Bypass #1543584)
HackerOne report #2485172 by setiawan_ on 2024-05-01, assigned to GitLab Team:
Report | Attachments | How To Reproduce
Report
- When evaluating Availability impact for DoS that requires continuous traffic, use the 1k Reference Architecture. The number of requests must be less than the "test request rate per second" and cause unavailability of 10+ seconds that the user can perceive to assess the impact as
A:H. clarifying-notes. - I am using 8 vCPU 1k users reference architectures
Summary
Moving an issue with a specially-crafted description Linear-sized input creates a square-sized table results in high CPU usage for 60 seconds (request timeout).
The table syntax allows columns to be omitted from some of the rows. Rows with too few columns are automatically extended to the correct length. For example, each |a| row in this example gets extended to 5 columns:
Steps to reproduce
Reproduce:
- Create a project
- Create an issue with the following description.
(You can skip this way and use the issues at Gitlab. But this is not recommended, Please use your local installation ) - Click Bulk Edit in Issues and check the issue you created.
- Click Move Selected
- Select the project you want to move to to trigger DoS.
bandicam_2024-05-01_18-16-53-337.mp4
Output of checks
This bug happens on GitLab.com , CE , EE.
Results of GitLab environment info
System information
System: Debian 12
Current User: git
Using RVM: no
Ruby Version: 3.1.4p223
Gem Version: 3.5.7
Bundler Version:2.5.8
Rake Version: 13.0.6
Redis Version: 7.0.15
Sidekiq Version:7.1.6
Go Version: unknown
GitLab information
Version: 16.11.1
Revision: 3ad2f8c9e62
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 14.11
URL: https://x
HTTP Clone URL: https://x/some-group/some-project.git
SSH Clone URL: git@x:some-group/some-project.git
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 14.35.0
Repository storages:
- default: unix:/var/opt/gitlab/gitaly/gitaly.socket
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Gitaly
- default Address: unix:/var/opt/gitlab/gitaly/gitaly.socket
- default Version: 16.11.1
- default Git Version: 2.43.2 S:C Impact caused to systems beyond the exploitable component ( Graphql )
This issue can cause the graphql endpoint to DoS. This results in the cvss score being S:C Because the vulnerable component is GitLab and the affected component is the production server ( Graphql )
{"operationName":"moveIssue","variables":{"moveIssueInput":{"projectPath":"root/aaaaaa","iid":"6","targetProjectPath":"root/bbbbbbb"}}," query":"mutation moveIssue($moveIssueInput: IssueMoveInput!) {\n issueMove(input: $moveIssueInput) {\n issue {\n id\n webUrl\n __typename\n }\n errors\n __typename\n }\ n}\n"} Response:
{"data":{"issueMove":null},"errors":[{"message":"Timeout on Base.issue","locations":[{"line":3,"column":5}] ,"path":["issueMove","issue"]},{"message":"Timeout on BaseMutation.errors","locations":[{"line":8,"column":5}]," path":["issueMove","errors"]}]} CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H (7.7 High )
Impact
- After 60 seconds (timeout) - request failed.
- Meanwhile, on the server side, (one) CPU is burning (verified against local instance).
- Issuing many requests in parallel causes many CPUs to run out of power.
- When using extension autolink, certain inputs will run out of resources indefinitely and subsequent denial of service.
- This also causes api/graphql to run out of resources
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: