Too long wiki page's title causes various impact.
Link: https://hackerone.com/reports/414096
By: @8ayac
Details: Summary: I have discovered various impact caused by adding wiki page whose title is too long, which violates the Availability and Integrity of the system.
Description: Adding a wiki page whose title is too long has several impact.
Steps To Reproduce:
- Sign in to GitLab.
- Go to "http(s)://{GitLab host}/projects/new"
- Fill out "Project name" form with "testProject".
- Click "Create project" button.
- Go to "http(s)://{GitLab host}/{user id}/testProject/wikis/home?view=create".
- Fill out "Content" form with "poc".
- Click "Create page" button.
- Click "New page" button.
- Fill out "Page slug" form with "foo".
- Click "Create page" button.
- Fill out "Content" form with "poc".
- Click "Create page" button.
- Go to "http(s)://{GitLab host}/{user id}/testProject/wikis/foo/edit".
- Fill out "Title" form with 'A'*50000.
- Click "Save changes" button.
Result: A page titled AAAAAAAAAAA...
is added. (The response to step 15 is 502 Bad Gateway
.)
Supporting Material
I attached a movie.
Impact
- Users can not clone this repository with
git clone
. - Once an attacker added the page whose title is too long, t can not be deleted on the client side.
- The user can not view the history of the added page.
Mitigation
I think the following is effective.
- Limit the number of characters in the title of wiki pages.
- Create a page like a list of wiki pages, so that you can delete pages from there.