Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #220137
Closed
Open
Issue created Jun 03, 2020 by GitLab SecurityBot@gitlab-securitybotReporter

Disabled Repository functionality - Still Able To Access The Project Files and Container Registry via Deploy Token

HackerOne report #884174 by vaib25vicky on 2020-05-28, assigned to @vdesousa:

Security Issue https://gitlab.com/gitlab-org/security/gitlab/-/issues/228

Description

The doc https://docs.gitlab.com/ee/user/project/settings/#sharing-and-permissions states that

If you disable Repository functionality, GitLab also disables the following features for your project:
Merge Requests
Pipelines
Container Registry
Git Large File Storage
Packages

After disabling the repository functionality, none including owner of the project is allowed to git clone and access the repository files.
But this is not the case with the deploy tokens, it allows you to download (git clone) or push and pull packages and container registry images of a project without having a user and a password. So, one with deploy tokens of the project is able to access project files and container registry.

Assuming of a situation where owner project token got stole or he lost it, and owner decided to disable repository functionality instead of revoking token, then this can be problematic. And owner can decide disabling repository first as a defense against lost token because Gitlab doc states that it disable project files as well as container registry.

Steps to reproduce

As a quick PoC, I am going to use my public project whose repository functionality is disabled

[REDACTED]

  • Going over above link, you can see repos is disabled.
  • Use the below api with project deploy token
git clone https://[REDACTED]
  • You will see one file into lame folder named hackerone

Impact

Assuming of a situation where owner project token got stole or he lost it, and owner decided to disable repository functionality instead of revoking token, then this can be problematic. And owner can decide disabling repository first as a defense against lost token because Gitlab doc states that it disable project files as well as container registry.

What is the current bug behavior?

Able to clone repository even when owner disabled repository functionality via Deploy token.

What is the expected correct behavior?

If repository functionality is disabled then don't allow deploy tokens to clone repository as well as access container registry.

Output of checks

This bug happens on GitLab.com

Impact

Disabled Repository functionality - Still Able To Access The Project Files and Container Registry via Deploy Token

Edited Jul 06, 2022 by Costel Maxim
Assignee
Assign to
Time tracking