Issue Boards leak private label names and descriptions
- Title: Boards leak private label names and desciptions
- Types: Information Disclosure
- Link: https://hackerone.com/reports/162147
- Date: 2016-08-22 06:15:23 -0700
- By: jobert
Details:
Vulnerability details
In anticipation of today's release, I took a look at the new boards feature - which, unrelated to this report, is awesome! There turns out to be an IDOR vulnerability when creating a list based on a label. An attacker can create a list with a label ID that belongs to a private repository. This leaks the name and description of the label to the attacker.
Proof of concept
- Create a new, private repository
- In the created repository, create a new label - lets assume it has label ID 1
- Create another repository, doesn't matter if it's a private or public repository, and doesn't have to be scoped under the same namespace
- In the created repository, create another new label - lets assume it has label ID 2
- Go to the board of the repository created in step 3, and intercept your network traffic
- Click the label created and notice similar to the one below being sent to the GitLab instance:
Request
POST /jobertabma/test/board/lists HTTP/1.1
Host: gitlab-instance
...
{"list":{"label_id":2}}Response
HTTP/1.1 200 OK
...
{"id":3,"list_type":"label","position":1,"title":"super secret title","label":{"id":1,"title":"super secret title","color":"#428BCA","description":null,"priority":null}}- In the request, change the
label_idto 1, or any other label ID that doesn't belong to you and forward the request. - Refresh the board page, notice the created list - it contains the label name and description
Fix
This is a very ugly solution, but I just wanted to include it to point you to the vulnerability LoC. Line 18 (or 20, after the fix), creates a List object without making sure the provided label_id belongs to the project.
diff --git i/app/services/boards/lists/create_service.rb w/app/services/boards/l
index 5cb408b..630b05a 100644
--- i/app/services/boards/lists/create_service.rb
+++ w/app/services/boards/lists/create_service.rb
@@ -15,6 +15,8 @@ module Boards
end
def create_list_at(position)
+ params[:label_id] = project.labels.find(params[:label_id]).id
+
board.lists.create(params.merge(list_type: :label, position: position))
end
end