Описание
Gogs has arbitrary file read/write via Path Traversal in Git hook editing
Vulnerability Description
In the endpoint:
/username/reponame/settings/hooks/git/:name
the :name parameter:
- Is URL-decoded by macaron routing, allowing decoded slashes (
/) - Is then passed directly to:
git.Repository.Hook("custom_hooks", name)
which internally resolves the path as:
filepath.Join(repoPath, "custom_hooks", name)
Because no path sanitization is applied, supplying ../ sequences allows access to arbitrary paths outside the repository.
As a Result:
- GET: Arbitrary file contents are displayed in the hook edit page textarea (Local File Inclusion).
- POST: Existing files can be overwritten with attacker-controlled content (Arbitrary File Write).
Attack Prerequisites
- The attacker is an authenticated user
- The attacker has Admin or higher privileges on the target repository
- The attacker has the AllowGitHook permission (or is a site administrator)
- The target file is readable/writable by the Gogs process OS permissions
Attack Scenario
- An attacker (with AllowGitHook + repository Admin privileges) accesses the Git hook edit URL
- A path containing
../is supplied in:name, fully URL-encoded using%2f - The server resolves
custom_hooks/../../...without validation - Arbitrary file contents are displayed and existing files can be overwritten
Potential Impact
- Sensitive information disclosure:
app.ini, databases, logs, environment variables, etc. - Configuration or data tampering: Overwriting existing files
- Secondary impact: Extraction of
SECRET_KEYand database credentials may allow token forging or further compromise
Пакеты
Наименование
gogs.io/gogs
go
Затронутые версииВерсия исправления
<= 0.13.3
0.13.4