HackerOne reported issue: Export files not renamed when a user changes the namespace
Jobert from HackerOne reported this issue: https://hackerone.com/reports/195058
Vulnerability details
When a user renames its namespace, another user can claim the namespace and download old export files from the victim. The attack scenario here is that someone would scrape existing GitLab namespaces (users and groups, which are public) and see if they're renamed (freeing up the old namespace). The attacker can then claim the namespace the victim's old export files.
Impact
This may expose confidential project information, including the repository code, merge requests, issues, and snippets.
Proof of concept
Follow the steps below to reproduce the vulnerability.
As the victim
- Create a group called test
- Create a new private project in the test group called test
- Click the Generate export button in the project's settings page
- Now rename the group to new-test
As the attacker
- Create a group called test (this is possible because the old group was renamed to new-test)
- Create a new private project in the test group called test
- Go to http://gitlab-instance/test/test/download_export
- Profit! The attacker will download the export file generated by the victim
Remediation
Expire download links when the namespace OR project URL changes. This vulnerability also applies when changing the project URL, although that is less severe. This might grant users access to private repositories, although far less likely than the PoC outlined in this report.
He also wishes @DouweM a happy birthday. :)