> Specifically HandleFileUploads in uploads.go is called from a couple of PreAuthorizeHandler contexts allowing the HandleFileUploads logic, which calls down to rewrite.go and exif.go, to execute before authentication.
I'm no security guy, but this seems... incredibly dumb? Like even for perfectly secure code, the asymmetry in resource usage alone to submit an image vs. get them to dump a file, shell out to a scanner, and rewrite that file would probably be enough to seriously hurt smaller GitLab VMs.
Not only that, but it still works in exactly this way. I would have thought they would have fixed this "feature." But an unauthenticated user can still provide GitLab with tiff/jpeg images and have them reach ExifTool.
The following describes the entire unauthenticated attack:
https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapi...
And, if you like that sort of thing, there is a metasploit module you can use to reproduce the unauthenticated attack:
https://github.com/rapid7/metasploit-framework/commit/6f4aa5...