with uploader, anyone can read files under specific folders including export project tarball

HackerOne report #762554 by manassehzhou on 2019-12-20, assigned to @dcouture:

Summary

You can specify any path through file.path during post when uploading any attachment to wiki page, which lead to the possibility of reading anyone's export file.

Steps to reproduce

To begin with:

[@]root user need to export any of his repos, and it will appears in /opt/gitlab/embedded/service/gitlab-rails/public/uploads/-/system/import_export_upload/export_file/{project_id} like this

1. Go to the wiki page, upload file, open burp suite and capture the packet

   

2. modify a little bit.

   Add field file.path, then upload.

   

3. download the attachment

   

   unzip you can find the exported repo.

   

4. read anyone's export or anything under these directories:

   which is defined in /lib/gitlab/middleware/multipart.rb

       allowed_paths = [  
           ::FileUploader.root,  
           Gitlab.config.uploads.storage_path,  
           File.join(Rails.root, 'public/uploads/tmp')  
         ]  

Impact

You can specify any path through file.path during post when uploading any attachment to wiki page, which lead to the possibility of reading anyone's export file.

p.s. need to guess the directory.

What is the current bug behavior?

with file.path posted, the user can read any file under mentioned directories.

What is the expected correct behavior?

file.path should be filtered.

Results of GitLab environment info

running on docker with latest version.

Impact

You can specify any path through file.path during post when uploading any attachment to wiki page, which lead to the possibility of reading anyone's export file.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• 1.png
• 2.png
• 3.png
• 5.png
• 6.png
• 8.png