EXIF Geolocation Data Not Stripped From Uploaded Images
HackerOne report #463654 by rgupt on 2018-12-17:
Summary: When a user uploads an image in Gitlab, the uploaded image's EXIF Geolocation Data does not gets stripped. As a result, anyone can get sensitive information of Gitlab's users like their Geolocation, their Device information like Device Name, Version, Software & Software version used etc.
Steps To Reproduce:
- Login to Gitlab and upload an image for any of the features like:
- Create a New Issue
- Create a New Comment
- Create a New Snippet etc...
- Upload an image which has EXIF Geolocation Data in it. Please use the following POC file: https://gitlab.com/rgupta1/testing2/uploads/c11e11ce3f02031fe600dc847293a851/IMG_20181217_122953951.jpg
- Once the image is uploaded by Gitlab and hosted on Gitlab server, download the image file and check the File Properties. You can also use a tool like to view user's information: https://www.pic2map.com/
POC
I have created a Private Project and uploaded an attachment to reproduce this issue. Please checkout the image in this link: https://gitlab.com/rgupta1/testing2/issues/1
Impact
This vulnerability is CRITICAL and impacts all the Gitlab's customer base. This vulnerability violates the privacy of a User and shares sensitive information of the user who uploads an image on Gitlab or any of the Gitlab instances.
Dependency
This fix should be released together with https://gitlab.com/gitlab-org/gitlab-ce/issues/56922 which addresses EXIF removal for existing uploads. It also depends on https://dev.gitlab.org/gitlab/omnibus-gitlab/merge_requests/99.
Downstream link issue: https://dev.gitlab.org/gitlab/gitlab-workhorse/issues/3