Arbitrary File read in Gitlab project import with Git LFS
HackerOne report #460423 by nyangawa on 2018-12-11:
Summary: An invalid check in "project import by URL" feature allows an attacker to read arbitrary file in Gitlab server.
Description:
The following code in app/services/projects/lfs_pointers/lfs_download_service.rb
doesn't really sanitize an URL and enforce it to begin with white-listed schemes (defined in lib/gitlab/url_sanitizer.rb
)
sanitized_uri = Gitlab::UrlSanitizer.new(url)
Therefore, a string like '/etc/passwd' could easily pass this sanitizer and get into download_and_save_file
, which finally allows the content of /etc/passwd
file be downloadable from the Gitlab server.
Steps To Reproduce:
(Add details for how we can reproduce the issue)
- Import project (git repo by URL) from http://jp.nyangawa.me:4567/p1 (my PoC git server)
- After the import process finishes successfully, download the file
1m
in the imported repo.
Supporting Material/References:
I've validated this issue both in my own Gitlab instance and Gitlab.com.
You can verify https://gitlab.com/Nyangawa/p1/blob/master/1m
directly or try to reproduce the bug following the steps in the previous section.
I can push the PoC server to a private repository on Gitlab.com if you ask. Please tell me your considerations.
Impact
The ability to read arbitrary file in a Gitlab instance could lead to serious data breach and other problems.