Gogs Path Traversal Vulnerability in Git Hook Editing Allowing Arbitrary File Read/Write

A path traversal vulnerability allowing arbitrary file read and write operations has been identified in Gogs versions through 0.13.3. This issue arises in the Git hook editing feature, where the ':name' parameter is not properly sanitized. As a result, authenticated users with admin privileges and the AllowGitHook permission can exploit this vulnerability to access files outside the repository or overwrite existing files with custom content.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files such as application configuration files, databases, logs, and environment variables. Additionally, overwriting certain files could disrupt application functionality or, in some cases, allow for the execution of malicious code. According to the CVSS, this vulnerability has a moderate severity score of 6.5.

Reproduction

To reproduce this vulnerability, an authenticated user with admin privileges on a repository and the AllowGitHook permission must access the Git hook edit URL for that repository. Once there, the user can input a path traversal sequence in the ':name' parameter, which is URL-encoded to bypass routing restrictions. The server will then resolve the path without validation, allowing access to arbitrary files outside the repository.

Remediation

Users can upgrade to Gogs versions 0.13.4 or 0.14.0+dev to address this vulnerability.