Exposed Name, ID, Path of Private Group In shared_with_groups Data via Projects API
HackerOne report #538029 by rafiem
on 2019-04-14, assigned to estrike
:
Hi Team,
Summary
I have found information disclosure in projects API that disclose or exposed name, id, and full path of private group that have been shared a spesific projects. This allow unauthorized user to view information of private group that shared a spesific projects using API.
Description
An information disclosure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information. In this case, Unauthorized user is exposed by private group information such as name, id, and full path via shared_with_groups data.
Steps to Reproduce
1.) User A make a public projects
2.) User A shared the projects with private group that User A have
3.) User B can view the information : name,id, and full path of private group of User A in above step using Projects API
Request
https://gitlab.com/api/v4/projects/1xxxxxxx/
Response
{
"id": 1xxxxxxx,
"description": "xxxx",
"name": "aaaaaa",
"name_with_namespace": "[REDACTED]",
"path": "aaaaaa",
"path_with_namespace": "[REDACTED]",
"created_at": "2017-02-18T23:58:53.282Z",
"tag_list": [],
"ssh_url_to_repo": "[REDACTED]",
"http_url_to_repo": "[REDACTED]",
"web_url": "[REDACTED]",
"readme_url": "[REDACTED]",
"avatar_url": null,
"star_count": 0,
"forks_count": 0,
"last_activity_at": "2019-09-19T00:17:53.369Z",
"namespace": {
"id": 2xxxxxxx,
"name": "ns",
"path": "ns",
"kind": "user",
"full_path": "ns",
"parent_id": null
},
"_links": {
"self": "https://gitlab.com/api/v4/projects/1xxxxxxx",
"issues": "https://gitlab.com/api/v4/projects/1xxxxxxx/issues",
"repo_branches": "https://gitlab.com/api/v4/projects/1xxxxxxx/repository/branches",
"labels": "https://gitlab.com/api/v4/projects/1xxxxxxx/labels",
"events": "https://gitlab.com/api/v4/projects/1xxxxxxx/events",
"members": "https://gitlab.com/api/v4/projects/1xxxxxxx/members"
},
"archived": false,
"visibility": "public",
"owner": {
"id": 3xxxxxxx,
"name": "ns",
"username": "ns",
"state": "active",
"avatar_url": "https://secure.gravatar.com/avatar/some_uuid?s=80&d=identicon",
"web_url": [REDACTED]
},
"shared_with_groups": [
{
"group_id": 4xxxxxxx,
"group_name": "grp",
"group_full_path": "grp",
"group_access_level": 30,
"expires_at": null
}
],
...
}
<>PoC video attached
Impact
Exposed id,name and full path of private group to unauthorized user
Best Regards,
@rafiem
Attachments
Warning: Attachments received through HackerOne, please exercise caution!