Users can reply to merge request discussions despite `Only Project Members` settings
HackerOne report #512726 by ashish_r_padelkar
on 2019-03-20, assigned to hackerjuan
:
Summary:
Hello,
When public project contains below settings, the merge request are not visible publicly!
However,They can see Repository
and can comment on commit discussions! If they can guess/know the discussion ID of merge request discussions, they can reply to merge request discussions too!
Description:
When anyone reply to discussion on commit, the following POST request is sent
POST /<UserName>/<PublicProjectName>/notes?html=true HTTP/1.1
Host: gitlab.com
Connection: close
Content-Length: 498
Accept: application/json, text/plain, */*
Origin: https://gitlab.com
X-CSRF-Token: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: 1
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: 1
utf8=%E2%9C%93&authenticity_token=1&view=inline&line_type=&merge_request_diff_head_sha=&in_reply_to_discussion_id=ff8c6cdc4b899297fc235c69f5e7c9209ddc70db¬e_project_id=10776018&target_type=commit&target_id=ef531cc7ac3070e53d6c5892de0f12fda3abf21c¬e%5Bnoteable_type%5D=¬e%5Bnoteable_id%5D=¬e%5Bcommit_id%5D=¬e%5Btype%5D=¬e%5Bline_code%5D=¬e%5Bposition%5D=¬e%5Bnote%5D=ThisReplyWillGoToMergeRequest
As you can see, there is a parameter named in_reply_to_discussion_id
. If any one can know/guess this ID of any merge request discussions within ••SAME•• project, they can reply to those discussions too!
Steps To Reproduce:
-
As a project owner, set merge requests as
Only Project Members
and Repository asEveryone with Access
-
As normal user, comment on any commit and capture the above request
-
Change the value of
in_reply_to_discussion_id
to a discussion ID of merge request within same project. -
Send the request. Reply will go to merge request discussion, although you dont have any permissions on merge requests!
Regards,
Ashish
Impact
Guessing the Discussion ID can be difficult or may not practically possible to brute force. So how one can know the discussion ID?
There may be projects where merge requests were PUBLIC before they became Only Project Members
. In such cases, Users may know the discussions (and their ID theoretically noted down somewhere).
So after merge requests becomes Only Project Members
, they may continue to reply to those discussions which were public before!
Note that this doesn't work for LOCKED merge requests!
Regards,
Ashish
Attachments
Warning: Attachments received through HackerOne, please exercise caution!