Skip to content

Able to access wiki with scopeless deploy token even if wikis are disabled

HackerOne report #964057 by vaib25vicky on 2020-08-21, assigned to @dcouture:

Report | Attachments | How To Reproduce

Report

Summary

Deploy token scopes are
wiki_dep.png

There is no scopes for read_wiki. But currently user can read project or group wikis using deploy token even if wikis are disabled

PoC

This is my private test project https://gitlab.com/thevicc/vicctest3 with wiki disabled, the deploy token <REDACTED> don't have read_wiki scope but you'll be able to read wiki anyway

git clone https://<REDACTED>@gitlab.com/thevicc/vicctest3.wiki.git

Steps to reproduce
  • Create test private project
  • Create deploy token with read_repo scope
  • Now you can clone the project wiki using deploy token
  • Disabled wiki and you still can access it using deploy token

Impact

Deploy token dont have wiki scope but one still abel to use it to access project or group wikis. Even if wikis are disabled one is able to access it using deploy tokens

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section:

See the steps above

Edited by Vitor Meireles De Sousa