I couldn’t find a way to actually exploit this one in a typical configuration (although it’s clearly a security issue), but I think it’s fun (and simple) enough to write up anyway.

The regular expressions used in GitLab 7.6 to validate usernames and repository names had been updated, and accidentally no longer excluded the names ‘.’ and ‘..’.

This meant that an attacker could create a user called ‘..’, and a repository as part of a project with a name of ‘..’, and the repository would be stored under the filesystem in a path like this (assuming a project called ‘test’):

/var/opt/gitlab/git-data/repositories/../../test.git

Predictably, this resulted in the repository actually being created in a parent directory two levels up from the repository store, in this case, “/var/opt/gitlab/test.git”.

I notified GitLab on January 11th and they acknowledged the report within a day, and then informed me on January 23rd that they’d released GitLab 7.7 which used different code for creating projects, and was no longer vulnerable to this attack.