2014-12-09-three-reasons-gitlab-is-not-vulnerable-to-the-Gollum-vulnerability.html.md 1.93 KB
Newer Older
Robert Speicher's avatar
Robert Speicher committed
1 2 3
---
title: "3 reasons why GitLab is not vulnerable to the Gollum vulnerability and 1 tip"
date: 2014-12-09
4
categories: company
Robert Speicher's avatar
Robert Speicher committed
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
author: Job van der Voort
---

Three days ago, Gollum, the git-powered wiki that is used in GitLab disclosed a
[vulnerability](https://github.com/gollum/gollum/issues/913) that makes it possible to execute code on the
server that Gollum is running. Someone could exploit this to bring down your server or access your data.
**GitLab is not vulnerable for this, here's why:**

<!-- more -->

1. GitLab has implemented its own search and doesn't use Gollum's search.

2. For search, we made sure to use `Shellwords.shellescape(query)`.

3. Since GitLab 7.4, we switched to rugged, avoiding any use of grit [altogether](https://gitlab.com/gitlab-org/gitlab_git/blob/master/lib/gitlab_git/repository.rb#L194).

We've verified that GitLab installations prior to version 6.6 are **not** vulnerable
to the Gollum vulnerability either.

## 1 Tip

Ironically, it was [our own gem](https://gitlab.com/gitlab-org/gitlab-grit) that caused this.
We've created a [guide](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/shell_commands.md)
to combat remote code execution vulnerabilities we've found previously in GitLab.
We should have rewritten our gem to our own guidelines, but we're switching GitLab
to [Rugged](https://github.com/libgit2/rugged) instead.

We recommend all Ruby developers to adopt our guidelines and take note from this.

As with everything in GitLab, if you see something that can be improved, please send us a merge request.

## About GitLab

Matija Čupić's avatar
Matija Čupić committed
38
You can try GitLab by [downloading](/downloads/) the Community Edition and installing it on your own server or by signing up to our free, unlimited GitLab instance [GitLab.com](https://gitlab.com/users/sign_up).
Robert Speicher's avatar
Robert Speicher committed
39

Matija Čupić's avatar
Matija Čupić committed
40
Check out [GitLab Enterprise Edition](/features/#enterprise) for deep LDAP integration, git hooks, Jenkins integration and many more powerful enterprise features.