:warning: **Please read [the process](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/security/developer.md) on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.** **[HackerOne report #1994725](https://hackerone.com/reports/1994725)** by `pwnie` on 2023-05-20, assigned to `H1 Triage`: [Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce) ## Report ##### Summary The project uploads controller is vulnerable to path traversal in the :filename parameter which leads to arbitrary file reads ##### Steps to reproduce 1. Create a new group and recursively create 10 new subgroups Example: http://gitlab.com/11/22/33/44/55/66/88/99/aa/bb/cc/dd/ notice the deeply nested subgroups and a project at the end (dd) 1.5 If you don't want to do this step you can just use mine: https://gitlab.com/11753220/22/33/44/55/66/77/88/99/10/11 2. Go to https://gitlab.com/11753220/22/33/44/55/66/77/88/99/10/11/uploads/9079e1f1e5765d269fd80e23f0dc3441/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd ##### Impact Arbitrary file read ##### What is the current *bug* behavior? :filename can contain path traversal characters ##### What is the expected *correct* behavior? Sanitize :filename ##### Relevant logs and/or screenshots ##### Output of checks The bug happens on Gitlab #### Impact Arbitrary file read ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues