安全RCE之未授权访问分析(20)

上图中添加了header头Gitlab-Workhorse-Api-Request，内容为JWT令牌，用于在rails中验证请求是否来自于workhorse。最后组成的请求为
POST /uploads/user/authorize HTTP/1.1Host: 127.0.0.1:8080X-Csrf-Token: Gx3AIf UENPo0Q07pyvCgLZe30kVLzuyVqFwp8XDelScN7bu3g4xMIEW6EnpV xUR63S2B0MyOlNFHU6JXL5zg==Cookie: _gitlab_session=76a97094914fc3881c995992a9e22382Gitlab-Workhorse-Api-Request: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRsYWItd29ya2hvcnNlIn0.R5N8IJRIiZUo5ML1rVbTw_HLbJ88tYCqxOeqJNFHfGw
当得到响应后在PreAuthorize方法结尾通过json.NewDecoder(httpResponse.Body).Decode(authResponse)解析json数据httpResponse.Body到authResponse中，authResponse指向了Response结构体，定义如下：
type Response struct { // GL_ID is an environment variable used by gitlab-shell hooks during "git // push" and "git pull" GL_ID string // GL_USERNAME holds gitlab username of the user who is taking the action causing hooks to be invoked GL_USERNAME string // GL_REPOSITORY is an environment variable used by gitlab-shell hooks during // "git push" and "git pull" GL_REPOSITORY string // GitConfigOptions holds the custom options that we want to pass to the git command GitConfigOptions []string // StoreLFSPath is provided by the GitLab Rails application to mark where the tmp file should be placed. // This field is deprecated. GitLab will use TempPath instead StoreLFSPath string // LFS object id LfsOid string // LFS object size LfsSize int64 // TmpPath is the path where we should store temporary files // This is set by authorization middleware TempPath string // RemoteObject is provided by the GitLab Rails application // and defines a way to store object on remote storage RemoteObject RemoteObject // Archive is the path where the artifacts archive is stored Archive string `json:"archive"` // Entry is a filename inside the archive point to file that needs to be extracted Entry string `json:"entry"` // Used to communicate channel session details Channel *ChannelSettings // GitalyServer specifies an address and authentication token for a gitaly server we should connect to. GitalyServer gitaly.Server // Repository object for making gRPC requests to Gitaly. Repository gitalypb.Repository // For git-http, does the requestor have the right to view all refs? ShowAllRefs bool // Detects whether an artifact is used for code intelligence ProcessLsif bool // Detects whether LSIF artifact will be parsed with references ProcessLsifReferences bool // The maximum accepted size in bytes of the upload MaximumSize int64}