Bypassing tag check and branch check through imports
HackerOne report #2299337 by aaron_dewes on 2023-12-29, assigned to GitLab Team:
Report
NOTE! Thanks for submitting a report! Please note that initial triage is handled by HackerOne staff. They are identified with a
HackerOne triagebadge and will escalate to the GitLab team any. Please replace all the (parenthesized) sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!
Summary
GitLab recently implemented a check for security purposes that prevents tags or branches to be named with a SHA1 or SHA256 tag name (5146cc01).
Steps to reproduce
- Create a repository with a branch or tag name that is also a commit name (SHA1 or SHA256) and upload it on any external Git provider
- Import it to GitLab.
Impact
I am not sure what impacts you estimated with the original bug fix, but it was security related. Some things I can imagine:
- If an imported pipeline from the recently launched CI/CD catalog is pinned to a commit https://about.gitlab.com/blog/2023/12/21/introducing-the-gitlab-ci-cd-catalog-beta/, this may be used to replace the commit with a git tag of the same name with different code.
- Any local code by users that rely on a certain commit ("git checkout ...") could be manipulated.
Examples
Not sure if necessary, if you need it, please let me know.
What is the current bug behavior?
Branch or tag with the 40-character hex name gets created.
What is the expected correct behavior?
Branch or tag can not be created.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Impact
This field is duplicated in the "create report" form for some reason, so please check above.
How To Reproduce
Please add reproducibility information to this section: