by Vincent Menard
We recently proceeded to security tests on Gogs (Go Git Service) application and found multiple security problems, among those a private repository information disclosure in its API interface.
Affected version are 0.11.53 (current) and older.
Tests were completed using Gogs Version: 0.11.53.0603
Vendor has been contacted on June 26th 2018 regarding the API private information disclosure vulnerability.
Gogs is available for download at this address : https://gogs.io/
HTTP is exposed when using a HTTPS reverse proxy
The use of HTTPS require the configuration of a HTTPS reverse proxy. Therefore by doing so, the unencrypted port remains exposed. The solution proposed on Gogs Forum is to change the HTTP_ADDR variable in the configuration file to localhost. We think it should be proposed to the user within the app.ini configuration file.
Lack of ip address in log files
Gogs log files are very minimal. There is not indication of git (ssh) operations or http requests. The service is only listing errors, even in Trace mode. The ip address is always missing from the log files.
Git authentication variables appears in log file untruncated
While testing security of ssh git hook script. We noticed the authentication variables along with the repository name appears untruncated. With the help of automation scripts log file can grow to significant size if long variables are passed on an clone request.
Empty repositories usage returns Go error
We have noticed the use of an empty directory name produced an error that does not seem to be handled properly.
Private repositories information in the api search
The git web repository interface implements an API, providing information about activity on hosted repositories. Therefore we have noticed the search endpoint is providing meta information on private repositories as well.
Among disclosed information are the repository description, repository size, owner and update timestamp. Placing a index.html file in a created folder /api/v1/repos/search appears to solve the problem without updating Gogs version, disabling the api search function by the same occasion.