Soft Serve Git Server Authorization Bypass Vulnerability in LFS Lock Deletion Endpoint

A vulnerability in Soft Serve, a self-hostable Git server, prior to version 0.11.2, allows for authorization bypass in the Git Large File Storage (LFS) lock deletion process. This issue enables any authenticated user with write access to a repository to delete locks held by other users by using the force flag. The vulnerability arises because the code handling force deletions does so before checking user authorization, completely bypassing ownership validation. The problem has been addressed in version 0.11.2.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of LFS locks owned by other users, disrupting collaborative workflows that rely on LFS file coordination. While it does not grant access to LFS files or escalate repository permissions, it can cause significant workflow disruptions in environments with multiple collaborators.

Reproduction

To reproduce this vulnerability, two users with write access to the same repository are needed. User A (the lock owner) creates a lock on a file using the LFS locks endpoint. User B (the attacker) can then delete User A's lock by sending a request to the same endpoint, including the force flag. The deletion will be processed successfully, despite the lack of proper authorization checks, indicating that the vulnerability exists.

Remediation

Users can update to Soft Serve version 0.11.2 or later, where this vulnerability has been patched.