DoS in the Issue and Commit comments pages

HackerOne report #690235 by dfens on 2019-09-07, assigned to akelly:

Summary

An attacker can cause a DoS(500 HTTP code) in the Issue and Commit comments pages, via inserting a character higher than 0x65533 inside a Markdown link.

Steps to reproduce

In this example we are going to describe the steps to reproduce the DoS in the Issue page, but it should be trivial to attack other pages with the same technique.

Environment

From the Victim account:

1. Create a Project where an attacker account have permissions to post a comment in the Issue pages.
2. Open an Issue.
3. Comment something in the opened Issue.

Attack

From the attacker account:

1. Write a comment in the opened issue containing the provided exploit.txt
2. Reload page.

Impact

Any comment in that page cannot be loaded from any account, causing the impression of all being deleted.
This is because the GET request to discussions.json fails with the HTTP 500 code.
After the exploit, the issue page is in a state where nobody can read, write or erase any comment.

Other observations

It has been observed that this issue also affects the Activity page and the RSS feed of the attacker.
If the exploit is used in a Commit comment page, the comments and the diff of that commit cannot be seen

Impact

An attacker can compromise any public project making unreadable all the discussions in the Issue pages.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• exploit.txt

Related issues:

• https://dev.gitlab.org/gitlab/gitlabhq/issues/2945
• https://dev.gitlab.org/gitlab/gitlabhq/issues/2961