Skip to content

Improper Handing of Highly Compressed Data (CWE-409)

We are currently undertaking code-reviews on internal GitLab projects using our in-house SAST engine VET. The corresponding issue is available here: https://gitlab.com/gitlab-org/gitlab/-/issues/444342.

Summary

VET reported the following flow as a potential (zip bomb) vulnerability.

[commands/ci/artifact/artifact.go:70-70:zipReader] (SOURCE_ZIP) ~> [commands/ci/artifact/artifact.go:123-123:dstFile] (SINK_COPY)

This flow describes a potential zip bomb attack where compression is used to disguise an enormous amount of data. This applies to functionality implemented in GitLab CLI to download job artifacts and decompress them automatically.

Steps to reproduce

Add the following job to your CI configuration:

compress:
  image: alpine:3.14
  script: 
    - apk add zip
    - dd if=/dev/zero bs=1G count=1 > out 
  artifacts:
    paths:
      - out

The archive artifacts.zip generated above will only have a size of 1MB. When running the command below, glab automatically downloads and extracts the artifact with a size of 1G. This is just an example, but you could imagine that the file or the number of files is larger.

➜ bin/glab ci artifact --repo <proj> main compress --path="."
du -hs out
1.0G    out

What is the current bug behavior?

At the moment glad automatically downloads and extracts zip archive that include arbitrary big files making it vulnerable to zip bomb attacks potentially leading to DoS.

What is the expected correct behavior?

Change the implementation to use something comparable to LimitedReader.

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

cc @gitlab-com/gl-security/appsec

Edited by Julian Thome
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information