Global snippet, project, or import/export attachments can be moved to own snippet, may lead to data exposure
app/uploaders/file_mover.rb file contains logic to move temporary personal snippet attachments to a persisted snippet directory. This is done in the
move method in said file. The class is called from the
move_temporary_files. The move logic was determined to be vulnerable to a path traversal vulnerability that allows an attacker to move arbitrary files to their own snippet directory that stores attachments. Although the files of other directories can be moved, it is currently not possible to download the information. Given the confidentiality of the files that can be moved, however, this seems to be worth addressing to avoid a bigger problem in the future.
When a file is uploaded to a Snippet, they're stored in
/var/opt/gitlab/gitlab-rails/uploads/-/system/temp. This is the source directory from which the files will be moved.
Steps to reproduce
- sign in to an account
- create a snippet and attach a file
- when submitting the Snippet, intercept the request - it'll look like the one below:
POST /snippets HTTP/1.1 Host: gitlab-server ... ----------220720965 Content-Disposition: form-data; name="files" /uploads/-/system/temp/deadbeefdeadbeefdeadbeefdeadbeef/filename ----------220720965--
- in the request, change
..to go one directory up
filename, for example, to
.., or to
projectto specify an existing directory
- now submit the request
- now list the files in the persisted snippet - you will notice that the files outside the temporary directory have been moved to the snippet directory
$ ls -lash /var/opt/gitlab/gitlab-rails/uploads/-/system/personal_snippet ... 4.0K drwxr-xr-x 4 git git 4.0K Dec 28 14:44 project ...
Attachments of other users and global caches can be deleted and potentially be viewed in the future, for example when someone will be allowed to export their existing snippets or view the attachments are stored in the file store. Right now this is limited to a denial of service, as import / export files can be deleted, project files, and other people their snippet attachments.
I've found this vulnerability together with @jobert.