Misleading username could lead to impersonation in using SSH Certificates

HackerOne report #1087806 by ledz1996 on 2021-01-26, assigned to @cmaxim:

Report | Attachments | How To Reproduce

Report

Summary

There exists in vulnerability in checking the value of argument passing to gitlab-shell

internal/command/commandargs/shell.go

var (  
	whoKeyRegex      = regexp.MustCompile(`\bkey-(?P<keyid>\d+)\b`)  
	whoUsernameRegex = regexp.MustCompile(`\busername-(?P<username>\S+)\b`)  
)

These regex does not check whether it is start with either key- or username-

Later on

	for _, argument := range s.Arguments {  
		if keyId := tryParseKeyId(argument); keyId != "" {  
			s.GitlabKeyId = keyId  
			break  
		}

		if username := tryParseUsername(argument); username != "" {  
			s.GitlabUsername = username  
			break  
		}  
	}  

As you can see whoKeyRegex and whoUsernameRegex are used to parse username or id of SSH-key. However, because gitlab-shell check for KeyID first, for example:
The username with name as key-2 will be passed as username-key-2. this would lead to

• gitlab-shell parses the thing as tryParseKeyId and in turn s.GitlabKeyId will be 2
• This will lead to gitlab-shell identify the user key-2 as the one with the key id number 2

I tried to find a place where gitlab username would be used to gitlab-shell, found SSH Certificate usage. Even though it's not something convicing as it requires the CA server to generate a Certificate with an username of something like key-2, but I would report it anyway

Steps to reproduce

Pre-requisites:

• Set up SSH Certificate system as https://berndbausch.medium.com/ssh-certificates-a45bdcdfac39 or https://www.jadaptive.com/openssh-certificate-cheat-sheet/
• Set up SSH Certificate system in gitlab as https://docs.gitlab.com/ee/administration/operations/ssh_certificates.html
• Have an user with SSH key setup

Steps:

• Create an SSH Certificate for an user named key-2, it is possible to create an user with this username in gitlab
• This will allow the user receiving the certificate to impersonate user with key id 2
• Do what ever the user mentioned previously could do with SSH access

Video:

Impact

Impersonation, misleading regex.

Results of GitLab environment info

System information  
System:		Ubuntu 16.04  
Proxy:		no  
Current User:	git  
Using RVM:	no  
Ruby Version:	2.7.2p137  
Gem Version:	3.1.4  
Bundler Version:2.1.4  
Rake Version:	13.0.1  
Redis Version:	5.0.9  
Git Version:	2.29.0  
Sidekiq Version:5.2.9  
Go Version:	unknown

GitLab information  
Version:	13.7.4-ee  
Revision:	368b4fb2eee  
Directory:	/opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:	PostgreSQL  
DB Version:	11.9  
URL:		http://gitlab3.example.vm  
HTTP Clone URL:	http://gitlab3.example.vm/some-group/some-project.git  
SSH Clone URL:	git@gitlab3.example.vm:some-group/some-project.git  
Elasticsearch:	no  
Geo:		yes  
Geo node:	Primary  
Using LDAP:	no  
Using Omniauth:	yes  
Omniauth Providers:

GitLab Shell  
Version:	13.14.0  
Repository storage paths:  
- default: 	/var/opt/gitlab/git-data/repositories  
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell  
Git:		/opt/gitlab/embedded/bin/git  

Impact

Impersonation, misleading regex.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• [REDACTED]

How To Reproduce

Please add reproducibility information to this section: