Workhorse bypass allows files in /tmp to be read via Maven Repository APIs
HackerOne report #908796 by ledz1996
on 2020-06-26, assigned to @ankelly:
Summary
Similar issue to #848415 and #876998
As far as we know there exists an UploadedFile.from_params
leads to a series of Workhorse bypass vulnerability.
There exists one in maven APIs before but have been patched due to this issue
However, the route Detecting in Workhorse sees %2f
as /
.
So this mean
- If a full path for a project to put in for the API is
000173%2fpackages%2fmaven
, the Workhorse will see this as000173/packages/maven
and treat this as a valid path for
internal/upstream/routes.go
route("PUT", apiPattern+`v4/projects/[0-9]+/packages/maven/`, upload.BodyUploader(api, signingProxy, preparers.packages)),
This will proceed us to bypass the Workhorse authorizing in RoR part, thus result in system file/object storage enumerating by using file.path
or file.remote_id
.
Steps to reproduce
- Create an Project and Note the ID of the Project. For example: ID 40
- Create a subgroup and project with the following path: 0040/packages/maven
- Send the PUT request to the following URL:
/api/v4/projects/0040%2fpackages%2fmaven/package/?file.path=../../../../../../../../../../../../etc/passwd
Along with Header: Private-Token: which is the token for accessing the API
or/api/v4/projects/0040%2fpackages%2fmaven/package/?file.remote_id=object-id
for Object Storage - If its response with 500 -> the file/ object is not exists, 400 -> The file exists.
Why 500 code means not exists:
fileenum1.PNG
Uploaded a video for this:
bandicam_2020-06-26_17-13-53-860.mp4
Results of GitLab environment info
System information
System: Ubuntu 16.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.6.6p146
Gem Version: 2.7.10
Bundler Version:1.17.3
Rake Version: 12.3.3
Redis Version: 5.0.9
Git Version: 2.27.0
Sidekiq Version:5.2.7
Go Version: unknown
GitLab information
Version: 13.1.0-ee
Revision: 1fa237df2f4
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 11.7
URL: http://gitlab.example.vm
HTTP Clone URL: http://gitlab.example.vm/some-group/some-project.git
SSH Clone URL: git@gitlab.example.vm:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers: saml
GitLab Shell
Version: 13.3.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Impact
Disclose existence of a file in system, Object Storage, etc.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!