PT-2026-6863 · Go · Gogs.Io/Gogs

Publicado

2026-02-06

·

Atualizado

2026-02-06

CVSS v3.1

6.5

Média

VetorAV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Vulnerability Description

In the endpoint:
/username/reponame/settings/hooks/git/:name
the :name parameter:
  • Is URL-decoded by macaron routing, allowing decoded slashes (/)
  • Is then passed directly to:
go
git.Repository.Hook("custom hooks", name)
which internally resolves the path as:
go
filepath.Join(repoPath, "custom hooks", name)
Because no path sanitization is applied, supplying ../ sequences allows access to arbitrary paths outside the repository.

As a Result:

  • GET: Arbitrary file contents are displayed in the hook edit page textarea (Local File Inclusion).
  • POST: Existing files can be overwritten with attacker-controlled content (Arbitrary File Write).

Attack Prerequisites

  • The attacker is an authenticated user
  • The attacker has Admin or higher privileges on the target repository
  • The attacker has the AllowGitHook permission (or is a site administrator)
  • The target file is readable/writable by the Gogs process OS permissions

Attack Scenario

  1. An attacker (with AllowGitHook + repository Admin privileges) accesses the Git hook edit URL
  2. A path containing ../ is supplied in :name, fully URL-encoded using %2f
  3. The server resolves custom hooks/../../... without validation
  4. Arbitrary file contents are displayed and existing files can be overwritten

Potential Impact

  • Sensitive information disclosure: app.ini, databases, logs, environment variables, etc.
  • Configuration or data tampering: Overwriting existing files
  • Secondary impact: Extraction of SECRET KEY and database credentials may allow token forging or further compromise

Correção

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-22

Identificadores relacionados

GHSA-MRPH-W4HH-GX3G

Produtos afetados

Gogs.Io/Gogs