Guests can know whether merge request template name exists or not
HackerOne report #453883 by ashish_r_padelkar on 2018-12-02:
Summary:
As a guest in private project, guest can not see merge requests. So they should not see merge requests templates created at /.gitlab/merge_request_templates
Templates are created with .md
extensions and are visible in a merge request dropdown. As guest can not see/create merge requests, they should not see these templates and they do not as expected!
However, there is a way to find out by brute forcing which template names exists at folder /.gitlab/merge_request_templates
using responses!
Steps To Reproduce:
-
As owner of private project create 1 template at
/.gitlab/merge_request_templates
. SayMergeTemplate
-
Now as a guest user in a project, directly visit
https://gitlab.com/<UserName>/<projectName>/templates/merge_request/MergeTemplate
-
They will see
404
error page which is correct -
Now try with different name instead
https://gitlab.com/<UserName>/<projectName>/templates/merge_request/MergeTemplateOther
-
They should see
404
here too but instead they see500
page!! -
So if they can guess correct (case sensitive) name of template, they can actually know that the template with the name exists !
-
So as a guest, if response is
404
, the template with name exists!. If500
, template name doesnt exists!
This may be small issue and require brute forcing but i would suggest fixing this as it should return consistent response of 404 on all names for guests
Regards, Ashish
Impact
- Guests can know that template exists in private project
- This may work for public projects where repository settings are
Project Members Only
but i have not tried that yet