Expose Private Group's Membership in endpoint /projects/:id/members/all
Title: Expose Private Group's Membership in endpoint /projects/:id/members/all
Link: https://hackerone.com/reports/424465
Date: 2018-10-16 02:10:40 +0000
By: @ngalog
Summary: When you visit a public project member page, you will be able to see the normal members there, if the public project was shared with a private group, that private group is hidden from the web UI, since you are not authorised to reach that private group. However there is an API endpoint disclosing that info. /projects/:id/members/all
Steps To Reproduce:
- Visit https://gitlab.com/golduserngalog/gitlabexporta/project_members, you should be able to see two members in this group only, but in fact I have shared this project with a private group with namespace
privategroupwithprivatemember
- Also, when you visit https://gitlab.com/api/v4/projects/8881503/members , same result, only two members in the response, which is good
- However when you visit https://gitlab.com/api/v4/projects/8881503/members/all, you will see two more members in the response, thus leaking the membership of the group
privategroupwithprivatemember
Because this endpoint didn't check the authorization from the user, which allow unauthorized user to view the membership of private group
Impact
This allow unauthorized user to view the membership of private group
Expose Private Group's Membership in endpoint /projects/:id/members/all