Information disclosure in `Projects::BlobController#from_merge_request`
By modifying the from_merge_request
parameter, an attacker can enumerate private project names.
This was discovered by @DouweM during a technical interview.
Steps to reproduce:
- As an attacker, view any merge request to which you have access.
- Go to Changes and click Edit for any file.
- Note the
from_merge_request_id
parameter uses theid
field value, not theiid
. - Using a tool like Burp Suite, intercept your network traffic and hit Commit Changes.
- In Burp Suite, change the
from_merge_request_id
parameter to any other integer and forward the request. - You'll receive a redirect response from the server containing the path to a project's merge request. Depending on the integer used above you may not have access to this project.
Offending lines: https://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/controllers/projects/blob_controller.rb#L129 and https://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/controllers/projects/blob_controller.rb#L43-45
We should be using project.merge_requests.find(...)
at the very least, and using only internal IDs if possible.