Crafted Markdown payload leads to DoS condition
HackerOne report #549523 by near_
on 2019-04-27, assigned to estrike
:
Background
GitLab issue #55653 demonstrates an attack in which the Markdown parser can be exploited to achieve a denial-of-service condition. It was possible to achieve a similar outcome with a crafted Markdown payload: [a](javascript:alert(1))
Issue
Proof of concept
-
As an authenticated GitLab.com user, create a new project and Markdown wiki page
-
Update the wiki homepage to contain
[a](javascript:alert(1))
and observe that it becomes completely inaccessible, throwing a 500 error (e.g. https://gitlab.com/authnearbbp/example2/wikis/home)
When the same payload is used elsewhere, such as Issue Comments and Web IDE, note that Markdown preview fails to load (similarly throwing a 500 error). I plan to take a quick glance at the logs on a local GitLab EE instance to see what might be going on here but wanted to flag this now as it seems to have been a P2/S2 concern in the past.
Impact
An attacker could render project wikis (and potentially other surfaces where Markdown is parsed) inaccessible, preventing content on these surfaces from being actioned.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!