Full Report
Gitlab is version control with many other services, such as CI/CD and many other things. DecompressedArchiveSizeValidator is a function that is used to check the size of a archive before extracting it. This is done by using popen3 with gzip. Since the path is potentially user controlled input, the author tried to find a path to exploit this. One place this is used is ImportExport::Importer, which gets the path from project.import_source. Most of the time, this variable is nil though. In the case of bulk imports, this is set with user controllable data though. Using bulk imports, there is a tiny amount of verification done in a regex to remove prohibited values. Shell meta-characters are not included in this flow though. A trivial command injection payload can be used to write to the file system or do anything else now! There are a few complications with this. First, the bulk projects feature flag needs to be enabled. Although, the author of the post found a bypass for this flag to be enabled. This allowed them to trigger the vulnerability on Gitlab.com as well. Secondly, the bulk import size check only happens after 5+ minutes and hitting the max retries for the file. Overall, awesome bug! Found a bad sync then went backwards to find the source.
Analysis Summary
# Vulnerability: GitLab Command Injection via Unsanitized Input in Archive Size Validation
## CVE Details
- CVE ID: [Information not explicitly provided in the context, assumed 'TBD' or inferred if official disclosure exists]
- CVSS Score: [Information not explicitly provided in the context, assumed 'High' based on impact] (Severity: High/Critical)
- CWE: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
## Affected Systems
- Products: GitLab (Self-Managed and GitLab.com)
- Versions: Versions prior to the patched release containing the fix for this vulnerability.
- Configurations: Systems utilizing the Project Bulk Import feature where user-controlled input is processed by `DecompressedArchiveSizeValidator`. The vulnerability is likely triggered when the "bulk projects feature flag" is enabled (or bypassed).
## Vulnerability Description
The vulnerability resides within the `DecompressedArchiveSizeValidator` function, used to check archive sizes before extraction, which employs `popen3` with `gzip`. This function processes a potentially user-controlled path derived from `project.import_source`, often set during Bulk Imports. A weak regular expression verification in the bulk import flow fails to sanitize shell meta-characters. Successful exploitation allows an attacker to inject arbitrary operating system commands, leading to file system write operations or arbitrary code execution within the context of the GitLab process. Complicating factors include a size check timeout occurring after 5+ minutes, and an initial feature flag dependency that was reported to have a bypass mechanism, allowing for exploitation on instances like GitLab.com.
## Exploitation
- Status: PoC available (Implied by the detailed description of testing and triggering the issue, though "Exploited in the wild" is not confirmed)
- Complexity: Low (Trivial command injection payload described)
- Attack Vector: Network (Requires authenticated access to initiate a bulk import)
## Impact
- Confidentiality: High (Arbitrary file read/system access)
- Integrity: High (Arbitrary system command execution, modification of data or system state)
- Availability: High (Potential for denial of service or system compromise)
## Remediation
### Patches
- Patches are available in subsequent GitLab versions released after the disclosure of this vulnerability. Users must update to the version containing the fix addressing unfiltered user input in the bulk import validation path.
### Workarounds
- Disable or restrict access to the Bulk Import feature (if possible).
- Ensure the "bulk projects feature flag" is disabled, although a bypass for this flag was reportedly discovered.
## Detection
- Indicators of Compromise: Unusual external process executions originating from the web server process (e.g., shells spawning via `gzip` command arguments). Inspection of the GitLab logs for unexpected system calls executed via `popen3` in the context of archive validation.
- Detection methods and tools: Utilize security monitoring tools focused on command execution deviations from baseline for the application worker processes (e.g., `puma`, `sidekiq`).
## References
- Vendor Advisories: Search official GitLab security advisories published around the time the vulnerability was found/disclosed.
- Relevant links: HackerOne submission/write-up detailing the bulk import flow (Defanged: hxxps://hackerone[.]com/report/[report_id])