Is Gerrit exposed to zip-slip vuln?

[Darragh Bailey]

Hi,

Based on https://eclipse.googlesource.com/jgit/jgit/+/c86dcba7c45246562e07f952dcbbf44f9fc957c5 I'm wondering if there is any exposure to the recent zip-slip vulnerability in Gerrit?

Presumably if it is at all possible it's limited to a malicious users who already has authenticated access? Where they could manage to upload a pack file via a review and force Gerrit to unpack over a sensitive location by visiting via the web ui to look at the review?

Darragh

[Jonathan Nieder]

I'm not aware of any instances where Gerrit unzips files onto the filesystem.

пт, 15 июн. 2018 г. в 9:49, Darragh Bailey <daragh...@gmail.com>:

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Björn Pedersen]

According to the relevant commit:  https://eclipse.googlesource.com/jgit/jgit/+/0d908de53f5623223791dca59a1464d4cf2e3a51
ZipSlip is not a jgit vulnerability, but a maven one. As gerrit does not use maven (unless you want to build some ancient version) I would not expect gerrit to be affected.

Björn

[David Pursehouse]

On Mon, Jun 18, 2018 at 1:51 PM 'Björn Pedersen' via Repo and Gerrit Discussion <repo-d...@googlegroups.com> wrote:

Am Freitag, 15. Juni 2018 18:49:53 UTC+2 schrieb Darragh Bailey:

Hi,

Based on https://eclipse.googlesource.com/jgit/jgit/+/c86dcba7c45246562e07f952dcbbf44f9fc957c5 I'm wondering if there is any exposure to the recent zip-slip vulnerability in Gerrit?

Presumably if it is at all possible it's limited to a malicious users who already has authenticated access? Where they could manage to upload a pack file via a review and force Gerrit to unpack over a sensitive location by visiting via the web ui to look at the review?

Darragh

According to the relevant commit:  https://eclipse.googlesource.com/jgit/jgit/+/0d908de53f5623223791dca59a1464d4cf2e3a51
ZipSlip is not a jgit vulnerability, but a maven one.

The commit updates a few Maven plugins that were fixed to prevent the vulnerability, but that is not to say the vulnerability is limited only to Maven.

 

As gerrit does not use maven (unless you want to build some ancient version) I would not expect gerrit to be affected.

Björn

--

[Darragh Bailey]

On 18 June 2018 at 07:08, David Pursehouse <david.pu...@gmail.com> wrote:

On Mon, Jun 18, 2018 at 1:51 PM 'Björn Pedersen' via Repo and Gerrit Discussion <repo-d...@googlegroups.com> wrote:

Am Freitag, 15. Juni 2018 18:49:53 UTC+2 schrieb Darragh Bailey:

Hi,

Based on https://eclipse.googlesource.com/jgit/jgit/+/c86dcba7c45246562e07f952dcbbf44f9fc957c5 I'm wondering if there is any exposure to the recent zip-slip vulnerability in Gerrit?

Presumably if it is at all possible it's limited to a malicious users who already has authenticated access? Where they could manage to upload a pack file via a review and force Gerrit to unpack over a sensitive location by visiting via the web ui to look at the review?

Darragh

According to the relevant commit:  https://eclipse.googlesource.com/jgit/jgit/+/0d908de53f5623223791dca59a1464d4cf2e3a51
ZipSlip is not a jgit vulnerability, but a maven one.

Good point, I didn't look too closely at it, I was just hoping for a affirmative it's not vulnerable.

 

The commit updates a few Maven plugins that were fixed to prevent the vulnerability, but that is not to say the vulnerability is limited only to Maven.

 

So for the moment inconclusive? or just difficult to prove it's absolutely not vulnerable?

My initial thoughts were it would be unlikely, but there were really only two areas I could think of that might need confirmation. JGit handing of pack files (not even sure if it's possible for a pack file to suffer from the same issue) and plugin install, and the latter required admin privs anyway so not too much of a worry.

If this affected git I would have expected to have heard something related to zip-slip and specially crafted pack files, so I'm presuming it's relatively unlikely, but would be good to get confirmation from somewhere that jgit is definitely not impacted. But I'll take this part of the question to the jgit team.

It certain sounds like there isn't anywhere in Gerrit that is obviously an issue, so thanks and will follow up on the jgit part separately.

--

Darragh Bailey
"Nothing is foolproof to a sufficiently talented fool"

[David Pursehouse]

There was a previous discussion on this list [1] where it was stated that jgit is not vulnerable, although there was another issue [2] related to submodule names.

[1] https://groups.google.com/d/msg/repo-discuss/BxsmWvbT4Cc/DozSt-NwAQAJ 

[2] https://bugs.eclipse.org/bugs/show_bug.cgi?id=535027

[Darragh Bailey]

On 19 June 2018 at 12:27, David Pursehouse <david.pu...@gmail.com> wrote:

On Tue, Jun 19, 2018 at 8:12 PM Darragh Bailey <daragh...@gmail.com> wrote:

 

<snipped> 

So for the moment inconclusive? or just difficult to prove it's absolutely not vulnerable?

My initial thoughts were it would be unlikely, but there were really only two areas I could think of that might need confirmation. JGit handing of pack files (not even sure if it's possible for a pack file to suffer from the same issue) and plugin install, and the latter required admin privs anyway so not too much of a worry.

If this affected git I would have expected to have heard something related to zip-slip and specially crafted pack files, so I'm presuming it's relatively unlikely, but would be good to get confirmation from somewhere that jgit is definitely not impacted. But I'll take this part of the question to the jgit team.

It certain sounds like there isn't anywhere in Gerrit that is obviously an issue, so thanks and will follow up on the jgit part separately.

There was a previous discussion on this list [1] where it was stated that jgit is not vulnerable, although there was another issue [2] related to submodule names.

[1] https://groups.google.com/d/msg/repo-discuss/BxsmWvbT4Cc/DozSt-NwAQAJ 

[2] https://bugs.eclipse.org/bugs/show_bug.cgi?id=535027

Thanks for the pointer, hadn't connected the dots that these two were connected.

[Jonathan Nieder]

> Thanks for the pointer, hadn't connected the dots that these two were connected.

They aren't connected, except that they are both about path validation.

вт, 19 июн. 2018 г. в 5:24, Darragh Bailey <daragh...@gmail.com>:

--