Arbitrary file read in project uploads controller via path traversal

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1994725 by pwnie on 2023-05-20, assigned to H1 Triage:

Report | Attachments | How To Reproduce

Report

Summary

The project uploads controller is vulnerable to path traversal in the :filename parameter which leads to arbitrary file reads

Steps to reproduce
  1. Create a new group and recursively create 10 new subgroups
    Example: http://gitlab.com/11/22/33/44/55/66/88/99/aa/bb/cc/dd/ notice the deeply nested subgroups and a project at the end (dd)

1.5 If you don't want to do this step you can just use mine: https://gitlab.com/11753220/22/33/44/55/66/77/88/99/10/11

  1. Go to https://gitlab.com/11753220/22/33/44/55/66/77/88/99/10/11/uploads/9079e1f1e5765d269fd80e23f0dc3441/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
Impact

Arbitrary file read

What is the current bug behavior?

:filename can contain path traversal characters

What is the expected correct behavior?

Sanitize :filename

Relevant logs and/or screenshots
Output of checks

The bug happens on Gitlab

Impact

Arbitrary file read

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section:

Edited by Rohit Shambhuni