Arbitrary File read in Gitlab project import with Git LFS

HackerOne report #460423 by nyangawa on 2018-12-11:

Summary: An invalid check in "project import by URL" feature allows an attacker to read arbitrary file in Gitlab server.

Description: The following code in app/services/projects/lfs_pointers/lfs_download_service.rb doesn't really sanitize an URL and enforce it to begin with white-listed schemes (defined in lib/gitlab/url_sanitizer.rb)

sanitized_uri = Gitlab::UrlSanitizer.new(url)

Therefore, a string like '/etc/passwd' could easily pass this sanitizer and get into download_and_save_file, which finally allows the content of /etc/passwd file be downloadable from the Gitlab server.

Steps To Reproduce:

(Add details for how we can reproduce the issue)

1. Import project (git repo by URL) from http://jp.nyangawa.me:4567/p1 (my PoC git server)
2. After the import process finishes successfully, download the file 1m in the imported repo.

Supporting Material/References:

I've validated this issue both in my own Gitlab instance and Gitlab.com.

You can verify https://gitlab.com/Nyangawa/p1/blob/master/1m directly or try to reproduce the bug following the steps in the previous section.

I can push the PoC server to a private repository on Gitlab.com if you ask. Please tell me your considerations.

Impact

The ability to read arbitrary file in a Gitlab instance could lead to serious data breach and other problems.