Disabled Repository functionality - Still Able To Access The Project Files and Container Registry via Deploy Token
HackerOne report #884174 by vaib25vicky
on 2020-05-28, assigned to @vdesousa:
Security Issue https://gitlab.com/gitlab-org/security/gitlab/-/issues/228
Description
The doc https://docs.gitlab.com/ee/user/project/settings/#sharing-and-permissions states that
If you disable Repository functionality, GitLab also disables the following features for your project:
Merge Requests
Pipelines
Container Registry
Git Large File Storage
Packages
After disabling the repository functionality, none including owner of the project is allowed to git clone
and access the repository files.
But this is not the case with the deploy tokens, it allows you to download (git clone) or push and pull packages and container registry images of a project without having a user and a password. So, one with deploy tokens of the project is able to access project files and container registry.
Assuming of a situation where owner project token got stole or he lost it, and owner decided to disable repository functionality instead of revoking token, then this can be problematic. And owner can decide disabling repository first as a defense against lost token because Gitlab doc states that it disable project files as well as container registry.
Steps to reproduce
As a quick PoC, I am going to use my public project whose repository functionality is disabled
[REDACTED]
- Going over above link, you can see repos is disabled.
- Use the below api with project deploy token
git clone https://[REDACTED]
- You will see one file into
lame
folder namedhackerone
Impact
Assuming of a situation where owner project token got stole or he lost it, and owner decided to disable repository functionality instead of revoking token, then this can be problematic. And owner can decide disabling repository first as a defense against lost token because Gitlab doc states that it disable project files as well as container registry.
What is the current bug behavior?
Able to clone repository even when owner disabled repository functionality via Deploy token.
What is the expected correct behavior?
If repository functionality is disabled then don't allow deploy tokens to clone repository as well as access container registry.
Output of checks
This bug happens on GitLab.com
Impact
Disabled Repository functionality - Still Able To Access The Project Files and Container Registry via Deploy Token