Confidential issue titles are exposed
HackerOne report #916340 by aemirercin
on 2020-07-06, assigned to @cmaxim:
Summary
When you refer a confidential issue in a commit message and visit the following endpoint, confidential issue title is exposed in "commit_title_html" field:
http://host/user/project/-/refs/branch/logs_tree/?format=json&offset=0
Steps to reproduce
- Create a public project
- Create a confidential issue in this public project
- Create a commit in that public project and set commit message to "Solves #"
- Then open a new browser, access the following URL using a different account that is not a member of the project created in step-1
http://host///-/refs//logs_tree/?format=json&offset=0 - You will see confidential issue title in "commit_title_html" field
Impact
Confidential issue title is exposed
Examples
Only tested in my local setup that you can see video below
What is the current bug behavior?
Confidential issue title is exposed
What is the expected correct behavior?
Confidential issue title shouldn't be exposed
Relevant logs and/or screenshots
Output of checks
System information
System: Ubuntu 16.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.6.6p146
Gem Version: 2.7.10
Bundler Version:1.17.3
Rake Version: 12.3.3
Redis Version: 5.0.9
Git Version: 2.27.0
Sidekiq Version:5.2.7
Go Version: unknown
GitLab information
Version: 13.1.2-ee
Revision: d3d6e3f6
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 11.7
URL: http://192.168.1.55
HTTP Clone URL: http://192.168.1.55/some-group/some-project.git
SSH Clone URL: git@192.168.1.55:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 13.3.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Impact
Confidential issue titles which can include sensitive information are exposed
Attachments
Warning: Attachments received through HackerOne, please exercise caution!