Able to create project with unlimited repository size by Project Import
HackerOne report #420258 by ngalog on 2018-10-07:
Impact
Attacker could create a project with unlimited repository size as low level privilege user
Description
This is achieved by using the project import function, by changing the value of "repository_size_limit":null
to "repository_size_limit":0
in project.json in gitlab export file, then tar with modified project.json, and import the tar file, it will allow user to create project with unlimted repository size
Steps to reproduce
- create project, export the project, download the export
- untar the profile with this cmd
tar -vxzf export.tar.gz
- use your favourite text editor to change the project.json, from
"repository_size_limit":null
to"repository_size_limit":0
- tar all files back with this cmd
tar -cvzf import.tar.gz
- upload the tar import to gitlab.com
You will notice that repostiory now has unlimtied repo size.
PoC: Look at https://gitlab.com/golduserngalog/importinifinete/
You will see the repo size is unlimited
Impact
Attacker could create a project with unlimited repository size as low level privilege user
Proposed solution
Ignore repository_size_limit
during Import and rely on a default/inherited value/whichever way it's configured.
Implementation plan
-
backend Add :repository_size_limit
toexcluded_attributes.project
in https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/import_export/project/import_export.yml#L162, -
backend remove :repository_size_limit
from:Project
in https://gitlab.com/gitlab-org/gitlab/blob/master/spec/lib/gitlab/import_export/safe_model_attributes.yml#L559,