When performing a BulkImport it is possible to provide a URL tohttpUrlToRepo that will resolve to a repository on the local filesystem.

Althought GitLab::UrlBlocker.Validate is used to validate the URL provided, no whitelist of schemas are provided, meaning the file:// schema can be used, as long as the rest of the URL passes validation. This can allow the attacker to important any repository already on the host filesystem, taking advantage of the fact that GitLab project storage paths are based on the SHA2 of the project ID they can determine the location of a given project on the filesystem.

For this report they targeted the GitLab Capture the Flag repo, a special repository containing a flag that can be capture to prove access to data for bypass vulnerabilities that would other-wise score a low CVE. I believe this is the first time the $20,000 bonus for capturing that flag has been claimed.