Know whether TAGS exists or not in projects using API response

HackerOne report #478569 by ashish_r_padelkar on 2019-01-12, assigned to asaba:

Summary:
Hello,

For PUBLIC projects with below settings, tags arent visible for users!

Description:
Using the API at https://docs.gitlab.com/ee/api/releases/links.html , whether TAGS exists in projects or not using the response !

You need to guess the TAG name and put it in API. If the response is 403 from API, The TAG exists. If it throws 404 , TAG doesnt exists!

Steps To Reproduce:

1. Apply above settings for the PUBLIC project
2. As any logged in user, run the curl

curl --header "PRIVATE-TOKEN:[REDACTED]" "http://localhost:3000/api/v4/projects/24/releases/<GuessValidTag>/assets/links"  

The above response would be {"message":"403 Forbidden"} because you guessed the VALID TAG NAME

Now run the below curl

curl --header "PRIVATE-TOKEN: [REDACTED]" "http://localhost:3000/api/v4/projects/24/releases/<AnyRandomTAG>/assets/links"  

This would throw {"message":"404 Not found"}

means TAG Doesnt exists in project!

Regards,
Ashish

Impact

Know wether TAGS exists or not in projects using API response!

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_2019-01-12_at_19.03.17.png