Report was rewarded with $500 bug bounty: https://issuetracker.google.com/issues/182062672
Looks like https://pub.dev/ (https://github.com/dart-lang/pub-dev) is a subject to DoS attack.
Please consider a pubspec.yaml which contains a YAML bomb. Once pub publish is executed, the application is published to pub packages registry.
The pub.dev registry(google owned app engine) code is trying to load yaml & cpu utilization is killing performance. The CPU is going to the sky and the website is not responsive anymore.
Spin up the server:
Edit /app/lib/shared/configuration.dart to change gcp project to one you own and run:
dart bin/server.dart defaultgo to yaml-bomb and run:
export PUB_HOSTED_URL=http://localhost:8080
pub publish- CPU is going to the sky
pub.devis not responsive anymore ~> timeout ~> DoS
Please refer to screenshots
In addition to the report following images were shared:
