Bypass of EXIF tag stripping via API uploads
HackerOne report #568414 by xanbanx on 2019-05-06, assigned to jritchey:
In GitLab 11.9.4, GitLab fixed a security vulnerability to strip EXIF tags from images (CVE-2019-10109). GitLab strips these tags when images get uploaded to the GitLab instance, e.g., when uploading an image when creating an issue.
However, this mitigation can be bypassed. GitLab provides a dedicated API endpoint, to upload new images to the uploads folder, which can included in the markdown description of an issue for example. When uploading an image via the API, GitLab does not strip the EXIF tags allowing images with geo information to be upload to a GitLab instance.
Steps to reproduce
Tested on GitLab.com, 11.10.4-ee
- Create a new project
- Upload an image via the projects API by using the following curl request:
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" --form "file=@<image-with-geo-info>.jpg" https://gitlab.example.com/api/v4/projects/<project-id>/uploads
Note, that the image being upload contains EXIF information like the geo information. The request here will return a JSON response similar like this one:
{
"alt": "image",
"url": "/uploads/8c6f78ac23b4a7b8c0182d7a89e9b1/image.jpg",
"markdown": ""
}- Download the image again. The image is accessible via the URL
https://gitlab.example.com/<namespace>/<project-name>/uploads/8c6f78ac23b4a7b8c0182d7a89e9b1/image.jpg. Note, that I used the relative URL I got from the JSON response.
When inspecting the downloaded image, the image still contains the EXIF geo information.
What is the current bug behavior?
GitLab strips the geo information when uploading an image via the web interface of the issue but misses this when uploading an image via the API.
What is the expected correct behavior?
Strip the EXIF information when uploading an image via the API.
Best,
Xanbanx
Impact
This issue can lead to images being uploaded to a GitLab instance revealing sensitive information like where an image was taken (geo information).