Remote Command Execution (RCE) in project import
This is from the Recurity whitebox testing. I've verified that this works. You can even use:
ssh://-oProxyCommand=[snip]/aTo execute arbitrary shell commands using backticks.
Via the Import Repository functionality it is possible to execute commands on
the GitLab server under the git user.
Reproduction steps:
- Click
New Project, fill out a project name. - Click
git Repo by URL. - Paste a URL like
ssh://-oProxyCommand=[snip]/a. - Click
Create project
Now the ruby -esleep 1000 can be observed running on the GitLab server under
the git user.
As a short term mitigation
gitlab-ee/app/validators/addressable_url_validator.rb should exclude the ssh
entry in DEFAULT_OPTIONS = { protocols: %w(http https ssh git) }.freeze.
However the main problem lies in git clone, we've investigated this issue a
bit further, and figured that it's possible to create git repositories which
will execute arbitrary commands upon recursive checkout. If you like to we can report this issue to the git maintainers.