File template project ID exposed from public groups through group API

HackerOne report #549505 by ashish_r_padelkar on 2019-04-27, assigned to estrike:

Summary

Hello,

Very low severity issue but i think this need fixing as this exposes the private project ID if it is set as template in public group.

For eg, there is a option in group where you can set a immediate projects as its template in group settings

Screenshot_2019-04-28_at_01.33.45.png

If this is a public group which sets a private project in above settings, the ID of this private project is exposed publicly using group API endpoint https://gitlab.com/api/v4/groups/<PublicGroupID>

You will find the file_template_project_id parameter in the response

Steps to reproduce

  1. Create a public group
  2. Create a private project underneath
  3. Set this project as template for this group in group settings
  4. When any user navigates to this public group, they wont see any projects underneath because its a private project.
  5. Now use a Group API endpoint https://gitlab.com/api/v4/groups/<PublicGroupID>
  6. See the response, you will find the private project ID as file_template_project_id

Examples POC

You can use this group for POC https://gitlab.com/PrivateGroupofGuest.

You wont see any projects in it but there are private projects in it

Now, Use this https://gitlab.com/api/v4/groups/3721877 .

See the response and find file_template_project_id which is private project ID set as template in this group.

What is the current bug behavior?

Private project ID is exposed if it is set as template in group

What is the expected correct behavior?

Users without permissions to projects shouldnt see this ID populated in the file_template_project_id parameter in API response!

Output of checks

This bug happens on GitLab.com and might be on omnibus installations too!

Regards,
Ashish

Impact

While this may not be impactful currently as it only exposes ID but it need fixing. Also, if there are any other vulnerabilities which allows oracle of project names based on ID, this might be useful for valid attack scenario.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!