An external code review performed by Recurity-Labs identified a remote command execution vulnerability in git that could be exploited via the “Repo by URL” import option in GitLab. The command line git client was not properly escaping command line arguments in URLs using the SSH protocol before invoking the SSH client. A specially crafted URL could be used to execute arbitrary shell commands on the GitLab server.
To fully patch this vulnerability two fixes were needed. The Omnibus versions of GitLab contain a patched git client. For source users who may still be running an older version of git, GitLab now also blocks import URLs containing invalid host and usernames. 35212
This issue has been assigned CVE-2017-12426.
Thanks to Joern Schneeweisz and Recurity-Labs for discovering this vulnerability, providing immediate notification, and helping us coordinate a release across several projects.
We strongly recommend that all installations running a version mentioned above be upgraded as soon as possible.
If you’re unable to upgrade right away, you can secure your GitLab installation against this vulnerability using the workaround outlined below until you have time to upgrade.
Note: Disabling the “Repo by URL” import option does not fully mitigate this vulnerability as existing projects will still be able to change their import URLs.
GitLab CE+EE instances that cannot be patched immediately can disable support for SSH URLs in project imports and mirrors by editing the GitLab source code and removing ssh from the list of valid protocols.
For source users edit: /app/validators/addressable_url_validator.rb
.
For Omnibus users edit: /opt/gitlab/embedded/service/gitlab-rails/app/validators/addressable_url_validator.rb
.
Change:
DEFAULT_OPTIONS = { protocols: %w(http https ssh git) }.freeze
To:
DEFAULT_OPTIONS = { protocols: %w(http https git) }.freeze
Then restart GitLab.
For Omnibus users: gitlab-ctl restart.
Be certain that you do not revert this patch until you have installed an updated version of git.