Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #212911
Closed
Open
Issue created Mar 30, 2020 by GitLab SecurityBot@gitlab-securitybotReporter

Guest user can see tag names

HackerOne report #833334 by izzsec on 2020-03-28, assigned to @rchan-gitlab:

Security Implementation Issue

Summary

According to https://gitlab.com/help/user/permissions "Guest users can access GitLab Releasesfor downloading assets but are not allowed to download the source code nor see repository information like tags and commits.
By querying releases api for a project that user has guest access to they are able to see tag names under the _links.self JSON field

Steps to reproduce

  1. Create new private project
  2. Add a guest user
  3. Go to Home --> Releases https://gitlab.com///-/releases
  4. Click New Release, enter any tagname and click create tag
  5. As guest user go to Releases the api page at https://gitlab.com/api/v4/projects/<project_id>/releases?per_page=20 will load
  6. Check the JSON response and see the tag name under _links.self
  7. Alternatively query the releases API with guest user token
curl -X GET -H "Private-Token: <PRIVATE_TOKEN>" https://gitlab.com/api/v4/projects/<project_id>/releases  

JSON snippet with _links.self and tag name

"_links": {  
      "self": "https://gitlab.com/<group>/<project>/-/releases/<tag_name>"  
    }  

Impact

Guest users can see tag names

Examples

This happens on gitlab.com.

What is the current bug behavior?

Guest users can see tag names

What is the expected correct behavior?

Tag names should not be displayed to guest users.

Impact

Guest users can see tag names

Edited Jan 07, 2021 by Shinya Maeda
Assignee
Assign to
Time tracking