Private certificate disclosure via Symlinks
From external security tests, https://gitlab.com/gitlab-com/infrastructure/issues/2438:
- Effort: Low
- Impact: Medium
- Location: GitLab Pages
Details
Within GitLab Pages, the tryFile method is defined as follows:
func (d *domain) tryFile(w http.ResponseWriter, r *http.Request,
projectName string, subPath ...string) error {
path, err := d.resolvePath(projectName, subPath...)
if err != nil {
return err }
path, err = d.checkPath(w, r, path)
if err != nil {
return err }
return d.serveFile(w, r, path)
}Within the called methods resolvePath and checkPath checks are implemented to ensure that no traversals (especially via symlinks) out of projects public directory are made. However, within the subsequent call to serveFile, those checks can be bypassed:
func (d *domain) serveFile(w http.ResponseWriter, r *http.Request,
origPath string) error {
Location
Details
fullPath := handleGZip(w, r, origPath)
file, err := os.Open(fullPath)
if err != nil {
return err }
defer file.Close()
fi, err := file.Stat()
if err != nil {
return err }
// Set caching headers
w.Header().Set("Cache-Control", "max-age=600")
w.Header().Set("Expires",
time.Now().Add(10*time.Minute).Format(time.RFC1123))
fmt.Println("Serving", fullPath, "for", r.URL.Path)
// ServeContent sets Content-Type for us
http.ServeContent(w, r, origPath, fi.ModTime(), file)
return nil
}The handleGZip method will concatenate .gz to the checked filepath if the HTTP request accepts GZIPed content and such a file exists. However, if the .gz file is a symlink itself, no checks are performed.
This issue is partially mitigated as the GitLab Pages process is chrooted. Therefore, no system files can be exfiltrated by this issue. However, config.json files of other projects are affected by this behavior. Those files can contain sensitive information, such as private keys for custom Pages domains.
Reproduction Steps
Create a Pages repository containing a file x.html and a symbolic link x.html.gz, the symbolic link should point to e.g. ../config.json. After deployment of the page the traversal can be observed by requesting the file from its Pages domain with an Accept-Encoding: gzip Header set.
Recommendation
The handleGZip method should check if the .gz files are symbolic links in order to mitigate this issue.
Activity
/cc: @nick.thomas
Introduced in https://gitlab.com/gitlab-org/gitlab-pages/merge_requests/25
I'll get to work on a patch tomorrow!
assigned to @nick.thomas
Since the uncompressed version of the file can be a symlink, which is followed, I believe we need to allow the conmpressed version to be a symlink, which would also be followed. Just not out of the
public/hierarchy.It's a bit awkward though, and nothing actually breaks if we ignore
.gzfiles that are symlinks - we just fall back to the uncompressed version.Edited by Nick ThomasOK, we have a
0-4-stablebranch: https://dev.gitlab.org/gitlab/gitlab-pages/tree/0-4-stableTwo Pages MRs, one against master (0.5) and one against that branch:
- GitLab Pages v0.4.4 https://dev.gitlab.org/gitlab/gitlab-pages/merge_requests/2
- GitLab Pages v0.5.1 https://dev.gitlab.org/gitlab/gitlab-pages/merge_requests/1
Once merged, tags will need to be created.
On GitLab's side:
- CE v9.2 https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2156
- CE v9.3 https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2157
- CE v9.4 https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2158
- CE v9.5 https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2159
This won't make it into the security release being prepared today. It should go into the next one though.
Edited by Nick Thomasadded In review label
@ernstvn @nick.thomas This was merged a few days ago, right? Can we close this?
@zj not yet. We're waiting for v9.5.3 to be released with these fixes before making this non-confidential. Follow along here: https://gitlab.com/gitlab-org/gitlab-ce/issues/36893
