Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #28226
Closed
Open
Issue created Apr 23, 2019 by GitLab SecurityBot@gitlab-securitybotReporter

Exposed Name, ID, Path of Private Group In shared_with_groups Data via Projects API

HackerOne report #538029 by rafiem on 2019-04-14, assigned to estrike:

Hi Team,

Summary

I have found information disclosure in projects API that disclose or exposed name, id, and full path of private group that have been shared a spesific projects. This allow unauthorized user to view information of private group that shared a spesific projects using API.

Description

An information disclosure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information. In this case, Unauthorized user is exposed by private group information such as name, id, and full path via shared_with_groups data.

Steps to Reproduce

1.) User A make a public projects
2.) User A shared the projects with private group that User A have
3.) User B can view the information : name,id, and full path of private group of User A in above step using Projects API

Request

https://gitlab.com/api/v4/projects/1xxxxxxx/  

Response

{
    "id": 1xxxxxxx,  
    "description": "xxxx",  
    "name": "aaaaaa",  
    "name_with_namespace": "[REDACTED]",  
    "path": "aaaaaa",  
    "path_with_namespace": "[REDACTED]",  
    "created_at": "2017-02-18T23:58:53.282Z",  
    "tag_list": [],  
    "ssh_url_to_repo": "[REDACTED]",  
    "http_url_to_repo": "[REDACTED]",  
    "web_url": "[REDACTED]",  
    "readme_url": "[REDACTED]",  
    "avatar_url": null,  
    "star_count": 0,  
    "forks_count": 0,  
    "last_activity_at": "2019-09-19T00:17:53.369Z",  
    "namespace": {  
        "id": 2xxxxxxx,  
        "name": "ns",  
        "path": "ns",  
        "kind": "user",  
        "full_path": "ns",  
        "parent_id": null  
    },  
    "_links": {  
        "self": "https://gitlab.com/api/v4/projects/1xxxxxxx",  
        "issues": "https://gitlab.com/api/v4/projects/1xxxxxxx/issues",  
        "repo_branches": "https://gitlab.com/api/v4/projects/1xxxxxxx/repository/branches",  
        "labels": "https://gitlab.com/api/v4/projects/1xxxxxxx/labels",  
        "events": "https://gitlab.com/api/v4/projects/1xxxxxxx/events",  
        "members": "https://gitlab.com/api/v4/projects/1xxxxxxx/members"  
    },  
    "archived": false,  
    "visibility": "public",  
    "owner": {  
        "id": 3xxxxxxx,  
        "name": "ns",  
        "username": "ns",  
        "state": "active",  
        "avatar_url": "https://secure.gravatar.com/avatar/some_uuid?s=80&d=identicon",  
        "web_url": [REDACTED]  
    },  
    "shared_with_groups": [  
        {  
            "group_id": 4xxxxxxx,  
            "group_name": "grp",  
            "group_full_path": "grp",  
            "group_access_level": 30,  
            "expires_at": null  
        }  
    ],  
    ...
}

<>PoC video attached

Impact

Exposed id,name and full path of private group to unauthorized user

Best Regards,
@rafiem

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • PoC.mp4
Edited Dec 01, 2021 by Nikhil George
Assignee
Assign to
Time tracking