Skip to content

Confidential issue titles are exposed

HackerOne report #916340 by aemirercin on 2020-07-06, assigned to @cmaxim:

Summary

When you refer a confidential issue in a commit message and visit the following endpoint, confidential issue title is exposed in "commit_title_html" field:
http://host/user/project/-/refs/branch/logs_tree/?format=json&offset=0

Steps to reproduce

  1. Create a public project
  2. Create a confidential issue in this public project
  3. Create a commit in that public project and set commit message to "Solves #"
  4. Then open a new browser, access the following URL using a different account that is not a member of the project created in step-1
    http://host///-/refs//logs_tree/?format=json&offset=0
  5. You will see confidential issue title in "commit_title_html" field

Impact

Confidential issue title is exposed

Examples

Only tested in my local setup that you can see video below

What is the current bug behavior?

Confidential issue title is exposed

What is the expected correct behavior?

Confidential issue title shouldn't be exposed

Relevant logs and/or screenshots

confidential_issue_title.mp4
confidential_issue.png
confidential_issue_response.har

Output of checks

System information
System: Ubuntu 16.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.6.6p146
Gem Version: 2.7.10
Bundler Version:1.17.3
Rake Version: 12.3.3
Redis Version: 5.0.9
Git Version: 2.27.0
Sidekiq Version:5.2.7
Go Version: unknown

GitLab information
Version: 13.1.2-ee
Revision: d3d6e3f6
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 11.7
URL: http://192.168.1.55
HTTP Clone URL: http://192.168.1.55/some-group/some-project.git
SSH Clone URL: git@192.168.1.55:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:

GitLab Shell
Version: 13.3.0
Repository storage paths:

  • default: /var/opt/gitlab/git-data/repositories
    GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
    Git: /opt/gitlab/embedded/bin/git

Impact

Confidential issue titles which can include sensitive information are exposed

Attachments

Warning: Attachments received through HackerOne, please exercise caution!