Omission of Double Encoding in File Names Facilitates the Creation of Repositories with Malicious Content.
HackerOne report #2194607 by st4nly0n
on 2023-10-05, assigned to GitLab Team
:
Report | Attachments | How To Reproduce
Report
Description
GitLab's web interface does not ensure the integrity of file information with specially crafted names. This is because additional encoding of the %
character is not being done, allowing a file named dir%2f__hello__.sh
to, when opened from the web interface, display the contents of the dir/__hello__.sh
file. This scenario enables an attacker to create a repository with malicious code that will not be visible to the victim from GitLab's web interface. However, once the victim downloads the repository, they will obtain the file with malicious content, potentially resulting in the execution of arbitrary commands on the victim's system.
The issue lies in how GitLab's web interface handles character encoding in file names. When the %2f
character is used in a file's name, GitLab does not perform proper additional encoding, leading to incorrect representation of the file name and content, thus potentially deceiving the user with seemingly harmless file content.
Steps to Reproduce
- Perform the following steps as a malicious user:
1. Create a new public repository on gitlab.com.
2. Clone the repository and access it:
git clone <REPO>
cd <REPO>
3. Create a directory named dir
:
mkdir dir
4. Create a file named __hello__.sh
inside the dir
directory and add a harmless command:
echo 'echo "hello world"' > dir/__hello__.sh
5. Push the __hello__.sh
file to the remote repository:
git add dir/__hello__.sh && \
git commit -m 'Init' . && \
git push origin HEAD -f
6. Create a file named dir%2f__hello__.sh
and add a command of your choice:
### EXAMPLE
echo 'cat /etc/passwd' > dir%2f__hello__.sh
7. Push the dir%2f__hello__.sh
file to the remote repository:
git add dir%2f__hello__.sh && \
git commit -m 'Init' . && \
git push origin HEAD -f
- Perform the following steps as a victim user:
8. From GitLab's web interface, observe how the content of the dir%2f__hello__.sh
file is displayed harmlessly.
9. Download or clone the repository and execute the dir%2f__hello__.sh
file.
As a result of the steps described above, the victim who trusted the seemingly harmless content of the dir%2f__hello__.sh
file displayed in GitLab's web interface was surprised when executing it, as it ran unexpected arbitrary commands.
Please refer to the following proof of concept video demonstrating this result.
poc.mp4
What is the current bug behavior?
When the %2f
character is used in a file's name, GitLab does not perform proper additional encoding, leading to incorrect representation of the file name and content.
What is the expected correct behavior?
It is recommended that GitLab implement additional character encoding, especially for the %
character, in file names to ensure their correct representation and visualization on the web interface. Additionally, proper validation of file names is essential to prevent potential malicious manipulations.
Output of checks
This bug happens on GitLab.com
Impact
The absence of double encoding in file names in GitLab represents a risk that inadvertently facilitates attackers in creating repositories with malicious content. By exploiting this deficiency, an attacker can intentionally hide malicious files and directories, deceiving users and avoiding detection through GitLab's web interface. This insidious tactic allows attackers to deploy malicious code on compromised systems when victims download the repository, executing arbitrary commands and potentially compromising the integrity and security of the affected systems.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: