Skip to content

Exposed Name, ID, Path of Private Group In shared_with_groups Data via Projects API

HackerOne report #538029 by rafiem on 2019-04-14, assigned to estrike:

Hi Team,

Summary

I have found information disclosure in projects API that disclose or exposed name, id, and full path of private group that have been shared a spesific projects. This allow unauthorized user to view information of private group that shared a spesific projects using API.

Description

An information disclosure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information. In this case, Unauthorized user is exposed by private group information such as name, id, and full path via shared_with_groups data.

Steps to Reproduce

1.) User A make a public projects
2.) User A shared the projects with private group that User A have
3.) User B can view the information : name,id, and full path of private group of User A in above step using Projects API

Request

https://gitlab.com/api/v4/projects/1xxxxxxx/

Response

{
    "id": 1xxxxxxx,  
    "description": "xxxx",  
    "name": "aaaaaa",  
    "name_with_namespace": "[REDACTED]",  
    "path": "aaaaaa",  
    "path_with_namespace": "[REDACTED]",  
    "created_at": "2017-02-18T23:58:53.282Z",  
    "tag_list": [],  
    "ssh_url_to_repo": "[REDACTED]",  
    "http_url_to_repo": "[REDACTED]",  
    "web_url": "[REDACTED]",  
    "readme_url": "[REDACTED]",  
    "avatar_url": null,  
    "star_count": 0,  
    "forks_count": 0,  
    "last_activity_at": "2019-09-19T00:17:53.369Z",  
    "namespace": {  
        "id": 2xxxxxxx,  
        "name": "ns",  
        "path": "ns",  
        "kind": "user",  
        "full_path": "ns",  
        "parent_id": null  
    },  
    "_links": {  
        "self": "https://gitlab.com/api/v4/projects/1xxxxxxx",  
        "issues": "https://gitlab.com/api/v4/projects/1xxxxxxx/issues",  
        "repo_branches": "https://gitlab.com/api/v4/projects/1xxxxxxx/repository/branches",  
        "labels": "https://gitlab.com/api/v4/projects/1xxxxxxx/labels",  
        "events": "https://gitlab.com/api/v4/projects/1xxxxxxx/events",  
        "members": "https://gitlab.com/api/v4/projects/1xxxxxxx/members"  
    },  
    "archived": false,  
    "visibility": "public",  
    "owner": {  
        "id": 3xxxxxxx,  
        "name": "ns",  
        "username": "ns",  
        "state": "active",  
        "avatar_url": "https://secure.gravatar.com/avatar/some_uuid?s=80&d=identicon",  
        "web_url": [REDACTED]  
    },  
    "shared_with_groups": [  
        {  
            "group_id": 4xxxxxxx,  
            "group_name": "grp",  
            "group_full_path": "grp",  
            "group_access_level": 30,  
            "expires_at": null  
        }  
    ],  
    ...
}

<>PoC video attached

Impact

Exposed id,name and full path of private group to unauthorized user

Best Regards,
@rafiem

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

Edited by Nikhil George