Global snippet, project, or import/export attachments can be moved to own snippet, may lead to data exposure
HackerOne report #476564 by pindakaas
on 2019-01-08, assigned to asaba
:
Issue on dev
Summary
The app/uploaders/file_mover.rb
file contains logic to move temporary personal snippet attachments to a persisted snippet directory. This is done in the move
method in said file. The class is called from the SnippetsController
, see move_temporary_files
. The move logic was determined to be vulnerable to a path traversal vulnerability that allows an attacker to move arbitrary files to their own snippet directory that stores attachments. Although the files of other directories can be moved, it is currently not possible to download the information. Given the confidentiality of the files that can be moved, however, this seems to be worth addressing to avoid a bigger problem in the future.
When a file is uploaded to a Snippet, they're stored in /var/opt/gitlab/gitlab-rails/uploads/-/system/temp
. This is the source directory from which the files will be moved.
Steps to reproduce
- sign in to an account
- create a snippet and attach a file
- when submitting the Snippet, intercept the request - it'll look like the one below:
POST /snippets HTTP/1.1
Host: gitlab-server
...
----------220720965
Content-Disposition: form-data; name="files[]"
/uploads/-/system/temp/deadbeefdeadbeefdeadbeefdeadbeef/filename
----------220720965--
- in the request, change
deadbeefdeadbeefdeadbeefdeadbeef
to..
to go one directory up - change
filename
, for example, to..
, or toproject
to specify an existing directory - now submit the request
- now list the files in the persisted snippet - you will notice that the files outside the temporary directory have been moved to the snippet directory
$ ls -lash /var/opt/gitlab/gitlab-rails/uploads/-/system/personal_snippet
...
4.0K drwxr-xr-x 4 git git 4.0K Dec 28 14:44 project
...
Impact
Impact
Attachments of other users and global caches can be deleted and potentially be viewed in the future, for example when someone will be allowed to export their existing snippets or view the attachments are stored in the file store. Right now this is limited to a denial of service, as import / export files can be deleted, project files, and other people their snippet attachments.
I've found this vulnerability together with @jobert.