---
title: "3 reasons why GitLab is not vulnerable to the Gollum vulnerability and 1 tip"
date: 2014-12-09
categories: company
author: Job van der Voort
---

Three days ago, Gollum, the git-powered wiki that is used in GitLab disclosed a
[vulnerability](https://github.com/gollum/gollum/issues/913) that makes it possible to execute code on the
server that Gollum is running. Someone could exploit this to bring down your server or access your data.
**GitLab is not vulnerable for this, here's why:**

<!-- more -->

1. GitLab has implemented its own search and doesn't use Gollum's search.

2. For search, we made sure to use `Shellwords.shellescape(query)`.

3. Since GitLab 7.4, we switched to rugged, avoiding any use of grit [altogether](https://gitlab.com/gitlab-org/gitlab_git/blob/master/lib/gitlab_git/repository.rb#L194).

We've verified that GitLab installations prior to version 6.6 are **not** vulnerable
to the Gollum vulnerability either.

## 1 Tip

Ironically, it was [our own gem](https://gitlab.com/gitlab-org/gitlab-grit) that caused this.
We've created a [guide](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/shell_commands.md)
to combat remote code execution vulnerabilities we've found previously in GitLab.
We should have rewritten our gem to our own guidelines, but we're switching GitLab
to [Rugged](https://github.com/libgit2/rugged) instead.

We recommend all Ruby developers to adopt our guidelines and take note from this.

As with everything in GitLab, if you see something that can be improved, please send us a merge request.

## About GitLab

You can try GitLab by [downloading](/install/) the Community Edition and installing it on your own server or by signing up to our free, unlimited GitLab instance [GitLab.com](https://gitlab.com/users/sign_up).

Check out [GitLab Enterprise Edition](/features/#enterprise) for deep LDAP integration, git hooks, Jenkins integration and many more powerful enterprise features.