Previous Group Path Exposed via Transfered Group/Sub-Group/Project Audit Events
HackerOne report #770567 by rafiem on 2020-01-09:
Hi Team,
I have found information disclosure regarding transfered group/sub-group/project. User that have access to the transfered group/sub-group/project can view previous group path of the transfered group/sub-group/project. This information in audit events about previous group path should not be exposed to the user that dont have access to the the previous group.
Proof of Concept
1.) User A have a private sub-group inside of public group (In this case : https://gitlab.com/jumbre/sec_sub)
2.) User A create a project inside that sub-group (In this case : https://gitlab.com/jumbre/sec_sub/asdf)
3.) User A create another private groups In this case : https://gitlab.com/vokila)
4.) User A then transfered the project to the private group make in step 3 (In this case : https://gitlab.com/vokila/asdf)
5.) User A invite User B as Maintainer to the transfered project (https://gitlab.com/vokila/asdf)
6.) User B as Maintainer can access the audit events of the projects and can see previous group namespace of the transfered project (sec_sub) which User B dont have access to the private sub-group
7.) The exposed previous group path works on transfered sub-group and groups too.
Impact
Exposed Previous Group Path of Transfered Group/Sub-Group/Project
Best Regards,
[@]rafiem
Attachments
Warning: Attachments received through HackerOne, please exercise caution!