Skip to content

Disabled Repository functionality - Still Able To Access The Project Files and Container Registry via Deploy Token

HackerOne report #884174 by vaib25vicky on 2020-05-28, assigned to @vdesousa:

Security Issue https://gitlab.com/gitlab-org/security/gitlab/-/issues/228

Description

The doc https://docs.gitlab.com/ee/user/project/settings/#sharing-and-permissions states that

If you disable Repository functionality, GitLab also disables the following features for your project:
Merge Requests
Pipelines
Container Registry
Git Large File Storage
Packages

After disabling the repository functionality, none including owner of the project is allowed to git clone and access the repository files.
But this is not the case with the deploy tokens, it allows you to download (git clone) or push and pull packages and container registry images of a project without having a user and a password. So, one with deploy tokens of the project is able to access project files and container registry.

Assuming of a situation where owner project token got stole or he lost it, and owner decided to disable repository functionality instead of revoking token, then this can be problematic. And owner can decide disabling repository first as a defense against lost token because Gitlab doc states that it disable project files as well as container registry.

Steps to reproduce

As a quick PoC, I am going to use my public project whose repository functionality is disabled

[REDACTED]

  • Going over above link, you can see repos is disabled.
  • Use the below api with project deploy token
git clone https://[REDACTED]
  • You will see one file into lame folder named hackerone

Impact

Assuming of a situation where owner project token got stole or he lost it, and owner decided to disable repository functionality instead of revoking token, then this can be problematic. And owner can decide disabling repository first as a defense against lost token because Gitlab doc states that it disable project files as well as container registry.

What is the current bug behavior?

Able to clone repository even when owner disabled repository functionality via Deploy token.

What is the expected correct behavior?

If repository functionality is disabled then don't allow deploy tokens to clone repository as well as access container registry.

Output of checks

This bug happens on GitLab.com

Impact

Disabled Repository functionality - Still Able To Access The Project Files and Container Registry via Deploy Token

Edited by Costel Maxim