Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #227040
Closed
Open
Issue created Jul 06, 2020 by GitLab SecurityBot@gitlab-securitybotReporter

Confidential issue titles are exposed

HackerOne report #916340 by aemirercin on 2020-07-06, assigned to @cmaxim:

Summary

When you refer a confidential issue in a commit message and visit the following endpoint, confidential issue title is exposed in "commit_title_html" field:
http://host/user/project/-/refs/branch/logs_tree/?format=json&offset=0

Steps to reproduce

  1. Create a public project
  2. Create a confidential issue in this public project
  3. Create a commit in that public project and set commit message to "Solves #"
  4. Then open a new browser, access the following URL using a different account that is not a member of the project created in step-1
    http://host///-/refs//logs_tree/?format=json&offset=0
  5. You will see confidential issue title in "commit_title_html" field

Impact

Confidential issue title is exposed

Examples

Only tested in my local setup that you can see video below

What is the current bug behavior?

Confidential issue title is exposed

What is the expected correct behavior?

Confidential issue title shouldn't be exposed

Relevant logs and/or screenshots

confidential_issue_title.mp4
confidential_issue.png
confidential_issue_response.har

Output of checks

System information
System: Ubuntu 16.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.6.6p146
Gem Version: 2.7.10
Bundler Version:1.17.3
Rake Version: 12.3.3
Redis Version: 5.0.9
Git Version: 2.27.0
Sidekiq Version:5.2.7
Go Version: unknown

GitLab information
Version: 13.1.2-ee
Revision: d3d6e3f6
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 11.7
URL: http://192.168.1.55
HTTP Clone URL: http://192.168.1.55/some-group/some-project.git
SSH Clone URL: git@192.168.1.55:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:

GitLab Shell
Version: 13.3.0
Repository storage paths:

  • default: /var/opt/gitlab/git-data/repositories
    GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
    Git: /opt/gitlab/embedded/bin/git

Impact

Confidential issue titles which can include sensitive information are exposed

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • confidential_issue.png
  • confidential_issue_title.mp4
  • confidential_issue_response.har
Assignee
Assign to
Time tracking