Remote code execution vulnerability in the code search feature of GitLab
There is a remote code execution vulnerability in the code search feature
of GitLab. This vulnerability has been assigned the CVE identifier
Versions affected: 5.2, 5.3, 5.4, 6.0, 6.1, 6.2
Not affected: 5.1 and earlier
Fixed Versions: 5.4.1, 6.2.3
The Grit gem which serves as the Git backend for GitLab has an unsafe code
path for internal use which allows strings to be evaluated by the Bourne
shell. In affected versions, the GitLab code search feature exposes this
unsafe code path to user input from the search box. Code search in GitLab
is only available for authenticated users.
All users running an affected release should upgrade immediately or disable
code search using the workaround below.
The 5.4.1 and 6.2.3 releases are available from
If you are unable to upgrade, you can disable code search by deleting the
following line from `app/contexts/search_context.rb` and restarting GitLab:
result[:blobs] = project.repository.search_files(query,
params[:repository_ref]) unless project.empty_repo?
Thanks to joernchen of http://www.phenoelit.org/ for reporting the
vulnerability to us.