**[HackerOne report #549523](https://hackerone.com/reports/549523)** by `near_` on 2019-04-27, assigned to `estrike`: ## Background GitLab issue [#55653](https://gitlab.com/gitlab-org/gitlab-ce/issues/55653) demonstrates an attack in which the Markdown parser can be exploited to achieve a denial-of-service condition. It was possible to achieve a similar outcome with a crafted Markdown payload: `[a](javascript:alert(1))` ## Issue ### Proof of concept 1. As an authenticated GitLab.com user, create a new project and Markdown wiki page 2. Update the wiki homepage to contain `[a](javascript:alert(1))` and observe that it becomes completely inaccessible, throwing a 500 error (e.g. https://gitlab.com/authnearbbp/example2/wikis/home)  When the same payload is used elsewhere, such as Issue Comments and Web IDE, note that Markdown preview fails to load (similarly throwing a 500 error). I plan to take a quick glance at the logs on a local GitLab EE instance to see what might be going on here but wanted to flag this now as it seems to have been a P2/S2 concern in the past. ## Impact An attacker could render project wikis (and potentially other surfaces where Markdown is parsed) inaccessible, preventing content on these surfaces from being actioned. ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [wiki_dos.png](https://h1.sec.gitlab.net/a/62849d03-2541-4c31-b7e8-4ca68df91477/wiki_dos.png)