Enumeration of Email address, Username. and Full Name using Group SAML External ID

HackerOne report #567781 by ngalog on 2019-05-06, assigned to hackerjuan:

Summary

SCIM user creation always return the first user created with that external id, allowing attacker to enumerate email address/username/full name with external id of group saml.

Steps to reproduce

Get SCIM token as documented in this (page)[https://docs.gitlab.com/ee/api/scim.html]
Issue this request

POST /api/scim/v2/groups/YOUR_GROUP_PATH/Users HTTP/1.1  
Host: gitlab.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0  
Accept: application/json, text/plain, */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
content-type: application/scim+json  
authorization: bearer YOUR_SCIM_TOKEN  
Connection: close  
Content-Length: 312

[REDACTED]

Then you should see

[REDACTED]

This means you now can enumerate the external_id admin to other group's user's email/username/full name

Why

I think because the SQL query always return the first user with that external id, so in this bug it always return the first user ever created with the external id, regardless what group does the user belongs
nfo RAILS_ENV=production`)

PS

If the API request has any errors, please fix as instructed, like changing the email address to a new one, it's just some dummy data

Impact

Enumeration of Email address, Username. and Full Name using Group SAML External ID

Edited Jul 06, 2022 by Costel Maxim