Skip to content

Private merge request titles leaked for guest users through system notes

HackerOne report #435093 by xanbanx on 2018-11-06:

Guest users have limited access to GitLab projects. If a project is private, guest users do not have access to the repository nor to merge requests.

However, system notes referencing merge requests in issues reveal the merge request title in the tooltip.

Steps to reproduce

Tested on GitLab Community Edition 11.5.0-pre (d0c58a97)

  1. Add a guest user to a private project
  2. As a developer user of that project, create an issue (e.g. issue with ID 1) and a merge request (e.g. with ID 1). Let the merge request description reference that issue, e.g. by containing #1 (closed) in the description
  3. As a guest user open issue #1 (closed)

You will see a system note indicating that the issue is being referenced by merge request !1 (closed). By hovering over the system note, the tooltip is expanded, and the private merge request title is shown.

Impact

Guest users can read merge request titles

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

HackerOne report #435100

After finding https://hackerone.com/reports/435093, I looked further into that. GitLab allows to auto reference merge requests inside markdown fields like issue descriptions or notes. However, merge request references get rendered for guest users, which do not have access to merge requests. They now have access to merge request titles. Users can enumerate and the titles of all merge requests.

Steps to reproduce

Tested on GitLab Community Edition 11.5.0-pre (d0c58a97)

  1. Add a guest user to a private project. The project needs to have at least one merge request.
  2. As the guest user create an issue. In the issue description enter "!1 (closed)" to reference the merge request.

After creating the issue, the merge request link gets rendered and the tooltip shows the merge request title. See the attached image as an example.

Mitigation

Markdown pipeline needs to check user permission if they can read a merge request before rendering the link.

Impact

The user can enumerate all merge requests and get access to private merge request titles.

Dev issue (internal): https://dev.gitlab.org/gitlab/gitlabhq/issues/2768

Edited by Oswaldo Ferreira