Gitlab is version control with many other services, such as CI/CD and many other things. DecompressedArchiveSizeValidator is a function that is used to check the size of a archive before extracting it. This is done by using popen3 with gzip. Since the path is potentially user controlled input, the author tried to find a path to exploit this. One place this is used is ImportExport::Importer, which gets the path from project.import_source. Most of the time, this variable is nil though. In the case of bulk imports, this is set with user controllable data though. Using bulk imports, there is a tiny amount of verification done in a regex to remove prohibited values. Shell meta-characters are not included in this flow though. A trivial command injection payload can be used to write to the file system or do anything else now! There are a few complications with this. First, the bulk projects feature flag needs to be enabled. Although, the author of the post found a bypass for this flag to be enabled. This allowed them to trigger the vulnerability on Gitlab.com as well. Secondly, the bulk import size check only happens after 5+ minutes and hitting the max retries for the file. Overall, awesome bug! Found a bad sync then went backwards to find the source.