Three days ago, Gollum, the git-powered wiki that is used in GitLab disclosed a
vulnerability that makes it possible to execute code on the
server that Gollum is running. Someone could exploit this to bring down your server or access your data.
GitLab is not vulnerable for this, here's why:
GitLab has implemented its own search and doesn't use Gollum's search.
For search, we made sure to use
Since GitLab 7.4, we switched to rugged, avoiding any use of grit altogether.
We've verified that GitLab installations prior to version 6.6 are not vulnerable
to the Gollum vulnerability either.
Ironically, it was our own gem that caused this.
We've created a guide
to combat remote code execution vulnerabilities we've found previously in GitLab.
We should have rewritten our gem to our own guidelines, but we're switching GitLab
to Rugged instead.
We recommend all Ruby developers to adopt our guidelines and take note from this.
As with everything in GitLab, if you see something that can be improved, please send us a merge request.
Check out GitLab Enterprise Edition for deep LDAP integration, git hooks, Jenkins integration and many more powerful enterprise features.