Guest user can see tag names
HackerOne report #833334 by izzsec
on 2020-03-28, assigned to @rchan-gitlab:
Summary
According to https://gitlab.com/help/user/permissions "Guest users can access GitLab Releasesfor downloading assets but are not allowed to download the source code nor see repository information like tags and commits.
By querying releases api for a project that user has guest access to they are able to see tag names under the _links.self JSON field
Steps to reproduce
- Create new private project
- Add a guest user
- Go to Home --> Releases https://gitlab.com///-/releases
- Click New Release, enter any tagname and click create tag
- As guest user go to Releases the api page at https://gitlab.com/api/v4/projects/<project_id>/releases?per_page=20 will load
- Check the JSON response and see the tag name under _links.self
- Alternatively query the releases API with guest user token
curl -X GET -H "Private-Token: <PRIVATE_TOKEN>" https://gitlab.com/api/v4/projects/<project_id>/releases
JSON snippet with _links.self and tag name
"_links": {
"self": "https://gitlab.com/<group>/<project>/-/releases/<tag_name>"
}
Impact
Guest users can see tag names
Examples
This happens on gitlab.com.
What is the current bug behavior?
Guest users can see tag names
What is the expected correct behavior?
Tag names should not be displayed to guest users.
Impact
Guest users can see tag names
Edited by Shinya Maeda