Arbitrary file read in project uploads controller via path traversal
HackerOne report #1994725 by pwnie
on 2023-05-20, assigned to H1 Triage
:
Report | Attachments | How To Reproduce
Report
Summary
The project uploads controller is vulnerable to path traversal in the :filename parameter which leads to arbitrary file reads
Steps to reproduce
- Create a new group and recursively create 10 new subgroups
Example: http://gitlab.com/11/22/33/44/55/66/88/99/aa/bb/cc/dd/ notice the deeply nested subgroups and a project at the end (dd)
1.5 If you don't want to do this step you can just use mine: https://gitlab.com/11753220/22/33/44/55/66/77/88/99/10/11
Impact
Arbitrary file read
What is the current bug behavior?
:filename can contain path traversal characters
What is the expected correct behavior?
Sanitize :filename
Relevant logs and/or screenshots
Output of checks
The bug happens on Gitlab
Impact
Arbitrary file read
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: