Know whether TAGS exists or not in projects using API response
HackerOne report #478569 by ashish_r_padelkar
on 2019-01-12, assigned to asaba
:
Summary:
Hello,
For PUBLIC projects with below settings, tags arent visible for users!
Description:
Using the API at https://docs.gitlab.com/ee/api/releases/links.html
, whether TAGS exists in projects or not using the response !
You need to guess the TAG name and put it in API. If the response is 403
from API, The TAG exists. If it throws 404
, TAG doesnt exists!
Steps To Reproduce:
- Apply above settings for the PUBLIC project
- As any logged in user, run the curl
curl --header "PRIVATE-TOKEN:[REDACTED]" "http://localhost:3000/api/v4/projects/24/releases/<GuessValidTag>/assets/links"
The above response would be {"message":"403 Forbidden"}
because you guessed the VALID TAG NAME
Now run the below curl
curl --header "PRIVATE-TOKEN: [REDACTED]" "http://localhost:3000/api/v4/projects/24/releases/<AnyRandomTAG>/assets/links"
This would throw {"message":"404 Not found"}
means TAG Doesnt exists in project!
Regards,
Ashish
Impact
Know wether TAGS exists or not in projects using API response!
Attachments
Warning: Attachments received through HackerOne, please exercise caution!