Project member with Reporter permission able to read wiki history via "git clone ...; git log"
HackerOne report #604611 by nikitastupin
on 2019-06-09, assigned to jmatos_bgtvf
:
Summary
Hi,
Project member with Guest or Reporter permission can't view project wiki history using web interface. However Reporter can view wiki history by first cloning repository via git clone https://gitlab.com/:username/:project.wiki.git
and then locally running git log
.
If project is public wiki can be cloned even with anonymous access.
Steps to reproduce
- Create a private project. Create a wiki page. Add member with Reporter permissions to the project.
- Go to terminal and execute
git clone https://gitlab.com/:username/:project.wiki.git
where:username
is the name of project owner and:project
is the project name. Enter Reporter's username and password when git ask it. - Run
git log
inside the repository.
Impact
Unauthorised members can see wiki history.
Examples
Project export: REDACTED.
Full path to the project: https://gitlab.com/nshackerone/aclmon-private-project.
What is the current bug behavior?
$ git clone https://gitlab.com/nshackerone/aclmon-private-project.wiki.git
Cloning into 'aclmon-private-project.wiki'...
Username for 'https://gitlab.com': ns3hackerone
Password for 'https://ns3hackerone@gitlab.com':
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Unpacking objects: 100% (3/3), done.
What is the expected correct behavior?
$ git clone https://gitlab.com/nshackerone/aclmon-private-project.wiki.git
Cloning into 'aclmon-private-project.wiki'...
Username for 'https://gitlab.com': ns3hackerone
Password for 'https://ns3hackerone@gitlab.com':
remote: You are not allowed to download code from this project.
fatal: unable to access 'https://gitlab.com/nshackerone/aclmon-private-project.wiki.git/': The requested URL returned error: 403
Output of checks
This bug happens on GitLab.com
Impact
Unauthorised members can see wiki history.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
- REDACTED