I found a bypass for the mitigation of DoS via Mermaid (CVE-2019-9220).
As the mitigation for CVE-2019-9220, the input limit of 5000 characters is currently applied to a Mermaid code block, but it can be bypassed by simply splitting the longer payload to many code blocks.
{F551168}
When rendering of the Mermaid graphs starts, the browser tab displaying the page freezes.
This behavior prevents browsing and editing the page that have been added the Mermaid graphs.
Also, the resources used by the browser tab will increase as rendering continues. In the worst case, the entire browser also freezes or crashes.
We need a mechanism to stop rendering in advance by detecting if the user’s input contains a large number of Mermaid code blocks.
This bug happens on the official Docker installation of GitLab Enterprise Edition 12.1.4-ee
.
The browsers used for testing are Firefox 68
and Chromium 76
on Ubuntu.
Output of sudo gitlab-rake gitlab:env:info
:
System information
System:
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.6.3p62
Gem Version: 2.7.9
Bundler Version:1.17.3
Rake Version: 12.3.2
Redis Version: 3.2.12
Git Version: 2.21.0
Sidekiq Version:5.2.7
Go Version: unknown
GitLab information
Version: 12.1.4-ee
Revision: 4ea82400e72
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 10.7
URL: http://gitlab.example.com
HTTP Clone URL: http://gitlab.example.com/some-group/some-project.git
SSH Clone URL: [email protected]:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 9.3.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
This vulnerability is effective not only on Issue pages but also on all pages using Markdown with Mermaid.
The following impacts exist on the attacked page:
These impacts are almost the same as CVE-2019-9220.
These are more malicious than other issues that can be handled with 500 errors.