support commit hash fingerprinting

righel · Mar 28, 2024 · 033d011 · 033d011
1 parent e0c15b6
commit 033d011
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 16 deletions.
diff --git a/automation/get_gitlab_hashes.py b/automation/get_gitlab_hashes.py
@@ -20,7 +20,7 @@ def main(argv):
     write_hashes_dict(hashes, hashes_dict_file)
 
 
-def get_manifest_hash(branch, version):
+def get_manifest_hashes(branch, version):
     try:
         subprocess.check_output("docker rm tmp_gitlab", shell=True)
     except:
@@ -32,24 +32,33 @@ def get_manifest_hash(branch, version):
     # pull tag
     subprocess.check_output("docker create --name='tmp_gitlab' %s" % image, shell=True)
     subprocess.check_output("docker export tmp_gitlab -o tmp_gitlab.tar", shell=True)
-    subprocess.check_output("mkdir -p assets/", shell=True)
-    subprocess.check_output("tar -xf tmp_gitlab.tar opt/gitlab/embedded/service/gitlab-rails/public/assets/ --strip-components=6", shell=True)
+    subprocess.check_output("tar -xf tmp_gitlab.tar opt/gitlab/embedded/service/gitlab-rails/public/assets/webpack/manifest.json --strip-components=8", shell=True)
+    subprocess.check_output("tar -xf tmp_gitlab.tar opt/gitlab/version-manifest.json --strip-components=2", shell=True)
 
-    # get version hash
-    with open("./assets/webpack/manifest.json", "r") as file:
+    # get version webpack assets hash
+    with open("manifest.json", "r") as file:
         raw_manifest = file.read()
     manifest = json.loads(raw_manifest)
 
+    # get version commit hash
+    with open("version-manifest.json", "r") as file:
+        raw_version_manifest = file.read()
+    version_manifest = json.loads(raw_version_manifest)
+
     # cleanup
     try:
         subprocess.check_output("docker rmi %s -f" % image, shell=True)
         subprocess.check_output("docker rm tmp_gitlab", shell=True)
         subprocess.check_output("rm tmp_gitlab.tar", shell=True)
-        subprocess.check_output("rm -rf assets/", shell=True)
+        subprocess.check_output("rm manifest.json", shell=True)
+        subprocess.check_output("rm version-manifest.json", shell=True)
     except:
         pass
 
-    return str(manifest["hash"])
+    return {
+        "webpack_hash": str(manifest["hash"]),
+        "commit_hash": str(version_manifest["software"]["gitlab-rails"]["locked_version"])
+    }
 
 
 def load_hashes_dict(hashes_dict_file):
@@ -104,12 +113,19 @@ def process_missing_tags(hashes_dict_file):
                 not any(processed in version for processed in processed[build])
             ):
                 clean_version = version[:version.index('-')]
-                hash = get_manifest_hash(build, version)
+                hash = get_manifest_hashes(build, version)
+
+                if hashes.get(hash['webpack_hash']):
+                    hashes[hash['webpack_hash']]["versions"].append(clean_version)
+                    hashes[hash['webpack_hash']]["versions"] = list(set(hashes[hash['webpack_hash']]["versions"]))
+                else:
+                    hashes[hash['webpack_hash']] = {"build": build, "versions": [clean_version]}
 
-                if hashes.get(hash):
-                    hashes[hash]["versions"].append(clean_version)
+                if hashes.get(hash['commit_hash']):
+                    hashes[hash['commit_hash']]["versions"].append(clean_version)
+                    hashes[hash['commit_hash']]["versions"] = list(set(hashes[hash['commit_hash']]["versions"]))
                 else:
-                    hashes[hash] = {"build": build, "versions": [clean_version]}
+                    hashes[hash['commit_hash']] = {"build": build, "versions": [clean_version]}
 
                 processed[build].append(version)
 

diff --git a/gitlab_version.nse b/gitlab_version.nse
@@ -47,16 +47,23 @@ action = function(host, port)
 
     local response = http.generic_request(host.targetname or host.ip, port, "GET", manifest_url, options)
     local manifest_hash = string.match(response["rawbody"], '"hash": "([%w]*)"')
+
+
+    login_url = "/users/sign_in"
+    if stdnse.get_script_args("subdir") then
+        login_url =  stdnse.get_script_args("subdir") .. login_url
+    end
+    local response = http.generic_request(host.targetname or host.ip, port, "GET", login_url, options)
+    local commit_hash = string.match(response["rawbody"], 'gon.revision="([%w]*)"')
 
-    if manifest_hash == nil then
+    if manifest_hash == nil and commit_hash == nil  then
         return "ERROR: GitLab instance not found or running version < 9.x"
     end
-
-    local manifest_hashes_map = get_hashes_map()
-    local banner = manifest_hashes_map[manifest_hash]
+
+    local banner = get_banner(manifest_hash, commit_hash)
 
     if banner == nil then
-        return "ERROR: GitLab manifest hash not found in map: " .. manifest_hash
+        return "ERROR: GitLab hash not found in map: webpack_hash:" .. manifest_hash .. ", commit_hash:" .. commit_hash
     end
 
     local build = banner["build"]
@@ -90,6 +97,29 @@ action = function(host, port)
     return output
 end
 
+function get_banner(manifest_hash, commit_hash)
+    local manifest_hashes_map = get_hashes_map()
+    if manifest_hashes_map == nil then
+        return nil
+    end
+
+    -- search for commit hash
+    for key, value in pairs(manifest_hashes_map) do
+        if type(key) == "string" and key:sub(1, #commit_hash) == commit_hash then
+            return value
+        end
+    end
+
+    -- search for webpack manifest hash
+    local banner = manifest_hashes_map[manifest_hash]
+
+    if banner == nil then
+        return nil
+    end
+
+    return banner
+end
+
 function get_vulners_results(build, version)
     local api_version = "1.7"
     local option = {