Able to access wiki with scopeless deploy token even if wikis are disabled
HackerOne report #964057 by vaib25vicky on 2020-08-21, assigned to @dcouture:
Report | Attachments | How To Reproduce
Report
Summary
Deploy token scopes are
There is no scopes for read_wiki. But currently user can read project or group wikis using deploy token even if wikis are disabled
PoC
This is my private test project https://gitlab.com/thevicc/vicctest3 with wiki disabled, the deploy token <REDACTED> don't have read_wiki scope but you'll be able to read wiki anyway
git clone https://<REDACTED>@gitlab.com/thevicc/vicctest3.wiki.git
Steps to reproduce
- Create test private project
- Create deploy token with read_repo scope
- Now you can clone the project wiki using deploy token
- Disabled wiki and you still can access it using deploy token
Impact
Deploy token dont have wiki scope but one still abel to use it to access project or group wikis. Even if wikis are disabled one is able to access it using deploy tokens
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: