Private merge request titles leaked for guest users through system notes
HackerOne report #435093 by xanbanx on 2018-11-06:
Guest users have limited access to GitLab projects. If a project is private, guest users do not have access to the repository nor to merge requests.
However, system notes referencing merge requests in issues reveal the merge request title in the tooltip.
Steps to reproduce
Tested on GitLab Community Edition 11.5.0-pre (d0c58a97)
- Add a guest user to a private project
- As a developer user of that project, create an issue (e.g. issue with ID 1) and a merge request (e.g. with ID 1). Let the merge request description reference that issue, e.g. by containing #1 (closed) in the description
- As a guest user open issue #1 (closed)
You will see a system note indicating that the issue is being referenced by merge request !1 (closed). By hovering over the system note, the tooltip is expanded, and the private merge request title is shown.
Impact
Guest users can read merge request titles
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
After finding https://hackerone.com/reports/435093, I looked further into that. GitLab allows to auto reference merge requests inside markdown fields like issue descriptions or notes. However, merge request references get rendered for guest users, which do not have access to merge requests. They now have access to merge request titles. Users can enumerate and the titles of all merge requests.
Steps to reproduce
Tested on GitLab Community Edition 11.5.0-pre (d0c58a97)
- Add a guest user to a private project. The project needs to have at least one merge request.
- As the guest user create an issue. In the issue description enter "!1 (closed)" to reference the merge request.
After creating the issue, the merge request link gets rendered and the tooltip shows the merge request title. See the attached image as an example.
Mitigation
Markdown pipeline needs to check user permission if they can read a merge request before rendering the link.
Impact
The user can enumerate all merge requests and get access to private merge request titles.
Dev issue (internal): https://dev.gitlab.org/gitlab/gitlabhq/issues/2768