Blog Company 3 reasons why GitLab is not vulnerable to the Gollum vulnerability and 1 tip
Published on: December 9, 2014
2 min read

3 reasons why GitLab is not vulnerable to the Gollum vulnerability and 1 tip

3 reasons why GitLab is not vulnerable to the Gollum vulnerability and 1 tip

Blog fallback hero

Three days ago, Gollum, the git-powered wiki that is used in GitLab disclosed a vulnerability that makes it possible to execute code on the server that Gollum is running. Someone could exploit this to bring down your server or access your data. GitLab is not vulnerable for this, here's why:

  1. GitLab has implemented its own search and doesn't use Gollum's search.

  2. For search, we made sure to use Shellwords.shellescape(query).

  3. Since GitLab 7.4, we switched to rugged, avoiding any use of grit altogether.

We've verified that GitLab installations prior to version 6.6 are not vulnerable to the Gollum vulnerability either.

1 Tip

Ironically, it was our own gem that caused this. We've created a guide to combat remote code execution vulnerabilities we've found previously in GitLab. We should have rewritten our gem to our own guidelines, but we're switching GitLab to Rugged instead.

We recommend all Ruby developers to adopt our guidelines and take note from this.

As with everything in GitLab, if you see something that can be improved, please send us a merge request.

About GitLab

You can try GitLab by downloading the Community Edition and installing it on your own server or by signing up to our free, unlimited GitLab instance GitLab.com.

Check out GitLab Enterprise Edition for deep LDAP integration, git hooks, Jenkins integration and many more powerful enterprise features.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert