Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

In GitLab, you can specify a server for Sentry to generate function buttons for error tracking lists. By configuring the error information, you can modify the routing of subsequent requests to GitLab. This is a vulnerability known as Cross-Site Path Traversal (CSPT).

By using the ../../ in the error message, we can traverse up the path for other requests. In this case, it's possible to create arbitrary PUT requests on GitLab. The impact of this is immense! Trick users into adding admins, elevating membership, and approving membership. I assume that the contents of the PUT request are controlled via JSON with this.

The comments on the bug are interesting. One of them claims that an attacker could do this by tricking GitLab support with this issue. They also find other sinks that they decide to fix. They ended up adding enforce_path_traversal_check to an internal library, making this default to true. Great bug and great report!