Remote Command Execution in git client
An external code review performed by Recurity-Labs identified a remote
command execution vulnerability in git that could be exploited via the "Repo
by URL" import option in GitLab. The command line git client was not
properly escaping command line arguments in URLs using the SSH protocol
before invoking the SSH client. A specially crafted URL could be used to
execute arbitrary shell commands on the GitLab server.
To fully patch this vulnerability two fixes were needed. The Omnibus
versions of GitLab contain a patched git client. For source users who may
still be running an older version of git, GitLab now also blocks import URLs
containing invalid host and usernames.
This issue has been assigned CVE-2017-12426.
Improper sanitization of GitLab export files on import
GitLab versions 8.13.3, 8.12.8, 8.11.10, 8.10.13, and 8.9.12 contained a
patch for a critical directory traversal vulnerability in the GitLab export
feature that could be exploited by including symlinks in the export file and
then re-importing it to a GitLab instance. This vulnerability was patched by
checking for and removing symlinks in these files on import.
Recurity-Labs also determined that this fix did not properly remove symlinks for
hidden files. Though not as dangerous as the original vulnerability hidden file
symlinks could still be used to steal copies of git repositories belonging to
other users if the path to the git repository was known by the attacker. An
updated fix has been included in these releases that properly removes all
symlinks.
This import option was not made available to non-admin users until GitLab
8.13.0.