Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you the analysis of how to read GitLab arbitrary file vulnerability CVE-2020-10977. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

On April 28th, 2020, details of an arbitrary file read vulnerability in GitLab were made public. The patch was officially released by GitLab on March 26th, 2020.

Introduction of related components

GitLab is an open source project for warehouse management system, which uses Git as a code management tool and builds web services on this basis. GitLab is developed by GitLabInc. Develop a web-based Git warehouse management tool using a MIT license with wiki and issue tracking capabilities.

Loophole analysis

When issue moves between GitLab projects, the UploadsRewriter module moves the files referenced by the local issue and issue to the new project. Part of the code that performs this operation is as follows:

This part of the code does not impose any path restrictions on files referenced by issue, so there is a directory traversal vulnerability. Through this directory traversal vulnerability, arbitrary files can be copied from the GitLab server to the new issue. There is a judgment for finding the reference file in this process:

MARKDOWN_PATTERN=%r {\!?\ [. *?\]\ (/ uploads/ (? [0-9a-f] {32}) / (. *)\)} .freeze

This regular expression is used to match files referenced in issue. Although there are some restrictions on the referenced file path, it does not solve the problem of directory traversal, which can be exploited by an attacker to download arbitrary files from the server host.

Affected version

GitLab GitLab EE > = 8.5

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.