Improper Access Control on Deploy-Key
HackerOne report #962231 by ledz1996
on 2020-08-19:
Report | Attachments | How To Reproduce
Report
Summary
Similar Issue to #957459, This time on Deploy-Key
Security Issue https://gitlab.com/gitlab-org/security/gitlab/-/issues/227
Steps to reproduce
- As User A, for me root, Create a project. Set to Public with Repository only to Member
- As User B, create any project then create a Deploy-Key for that project
Generate a SSH-Key to get the Public key
ssh-keygen -t rsa -b 2048 -C "email@example.com"
Copy the content of id_rsa.pub
for the Deploy-Key
git clone git@gitlab.example.vm:private-user/private-repo.git
I prepare a video for this: Screen_Recording_2020-08-19_at_18.37.42.mov
Results of GitLab environment info
System information
System:
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.6.6p146
Gem Version: 2.7.10
Bundler Version:1.17.3
Rake Version: 12.3.3
Redis Version: 5.0.9
Git Version: 2.27.0
Sidekiq Version:5.2.9
Go Version: unknown
GitLab information
Version: 13.2.6-ee
Revision: e231b6a0b09
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 11.7
URL: http://gitlab.example.vm
HTTP Clone URL: http://gitlab.example.vm/some-group/some-project.git
SSH Clone URL: git@gitlab.example.vm:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 13.3.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Impact
Read private files in project
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section:
Edited by Shinya Maeda