Download archive is allowing unauthorized private repo access
Summary
Repository "Download zip"/"Download tar.gz" are capable of retrieving the previously generated .zip
or .tar.gz
of another repository of the same name from a completely different user or group.
Steps to reproduce
- User of a public repository named "user1/download-test" selects "Download as .zip".
/user1/download-test/-/archive/master/download-test-master.zip
- Before any new changes are made to "user1/download-test", user2 requests "Download zip" from "/user2/download-test". They receive the contents of the
.zip
produced from "/user1/download-test"./user2/download-test/-/archive/master/download-test-master.zip
- User2 requests "Download as .tar.gz" of "/user2/download-test".
/user1/download-test/-/archive/master/download-test-master.tar.gz
- Any user can request the tar.gz from a project name
download-test
and receive the contents of `/user1/download-test'
Either project can be "Private" and the contents are still returned.
Example Project
This had happened in production today with projects name "ld41"
What is the current bug behavior?
Private repository contents can be retrieved with unauthenticated access.
What is the expected correct behavior?
Contents should be the proper repository.
Relevant logs and/or screenshots
https://kibana.gprd.gitlab.com/goto/69d7150f82b44af80448d5e90af99f66
Output of checks
This bug happens on GitLab.com.
Edited by Antony Saba