Arbitrary File read in Gitlab project import with Git LFS
HackerOne report #460423 by nyangawa on 2018-12-11:
Summary: An invalid check in "project import by URL" feature allows an attacker to read arbitrary file in Gitlab server.
The following code in
app/services/projects/lfs_pointers/lfs_download_service.rb doesn't really sanitize an URL and enforce it to begin with white-listed schemes (defined in
sanitized_uri = Gitlab::UrlSanitizer.new(url)
Therefore, a string like '/etc/passwd' could easily pass this sanitizer and get into
download_and_save_file, which finally allows the content of
/etc/passwd file be downloadable from the Gitlab server.
Steps To Reproduce:
(Add details for how we can reproduce the issue)
- Import project (git repo by URL) from http://jp.nyangawa.me:4567/p1 (my PoC git server)
- After the import process finishes successfully, download the file
1min the imported repo.
I've validated this issue both in my own Gitlab instance and Gitlab.com.
You can verify
https://gitlab.com/Nyangawa/p1/blob/master/1m directly or try to reproduce the bug following the steps in the previous section.
I can push the PoC server to a private repository on Gitlab.com if you ask. Please tell me your considerations.
The ability to read arbitrary file in a Gitlab instance could lead to serious data breach and other problems.