Disclosure of Template File from Private Project
HackerOne report #453050 by ngalog on 2018-11-30:
Summary:
There is a new feature in 11.5, which allow user to add custom private template file to a group, that when the group project create a new file, they can use the template.
There is no access control at that endpoint, which allow unauthorized user to view private project's template even they are not allowed to.
Setting Up the Environment:
- Create a public group with gold plan
- Create a private project for example with name
privateproject
- In Public Group set
privateproject
file as template, as documented in (here)[https://docs.gitlab.com/ee/user/admin_area/settings/instance_template_repository.html#configuration] and (here)[https://docs.gitlab.com/ee/user/group/#group-level-file-templates-premium] - Then create a folder in
privateproject
with nameDockerfile
and create a file inside that directory nametest.dockerfile
- Create another public project in the public group, jot down the id
- finally, as a unauthenticated user, visit
https://gitlab.com/api/v4/projects/{public_project_id_in_group}/templates/dockerfiles/test
You will see the template file that is supposed to be private from public user
Real life poc in gitlab.com:
Link for my public project: https://gitlab.com/new-jjj-groupaaa/newnewthing/
Link for my private template file: https://gitlab.com/api/v4/projects/9696224/templates/dockerfiles/cuyoyo
Link for my private project with private template file:
https://gitlab.com/new-jjj-groupaaa/awesome
Dockerfile and other config file could easily contains private info for that group, that is why I think this has high impact
Impact
Disclosure of Template File from Private Project