Arbitrary file read in project uploads controller via path traversal

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1994725 by pwnie on 2023-05-20, assigned to H1 Triage:

Report | Attachments | How To Reproduce

Report

Summary

The project uploads controller is vulnerable to path traversal in the :filename parameter which leads to arbitrary file reads

Steps to reproduce

1. Create a new group and recursively create 10 new subgroups
   Example: http://gitlab.com/11/22/33/44/55/66/88/99/aa/bb/cc/dd/ notice the deeply nested subgroups and a project at the end (dd)

1.5 If you don't want to do this step you can just use mine: https://gitlab.com/11753220/22/33/44/55/66/77/88/99/10/11

2. Go to https://gitlab.com/11753220/22/33/44/55/66/77/88/99/10/11/uploads/9079e1f1e5765d269fd80e23f0dc3441/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd

Impact

Arbitrary file read

What is the current bug behavior?

:filename can contain path traversal characters

What is the expected correct behavior?

Sanitize :filename

Relevant logs and/or screenshots

Output of checks

The bug happens on Gitlab

Impact

Arbitrary file read

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: