Protected tags API reveals the private groups new name even after they are removed from project membership
HackerOne report #566078 by ashish_r_padelkar on 2019-05-04, assigned to estrike:
Summary
Hello,
At https://gitlab.com/<GroupName>/<ProjectName>/settings/repository#js-protected-tags-settings , you can add a group in protected tags only if it is shared with this project.
When you add such groups here, these group remains there even after they are removed from the projects.
This is issue specially for Private projects because this vulnerability may reveal the new name of the groups( if it renamed after removing).
Steps to reproduce
-
As a project Maintainer, add a group in protected tags here at
https://gitlab.com/<GroupName>/<ProjectName>/settings/repository#js-protected-tags-settingswhich is shared in this project Lets sayGroupA(Public group as of now) -
Other project maintainer/owner , removes this
GroupAfrom this project membership here athttps://gitlab.com/<GroupName>/<ProjectName>/project_membersand then makes it private and then renames it asGroupB -
The other maintainers of the project wont see this new group name as they dont have access to it and is private now.
-
But , it was added in protected tags before, So they can use a below API endpoint
https://gitlab.com/api/v4/projects/<ProjectID>/protected_tags
- This will reveal the new group name through
access_level_descriptionparameter from response!
What is the current bug behavior?
Protected tags API reveals the private group name even after they are removed from project membership
What is the expected correct behavior?
Once group is removed from project membership, they shouldn't be part of protected tags. This works as expected for protected branches but not for protected tags
Output of checks
This bug happens on GitLab.com and might be on omnibus installations too
Regards,
Ashish
Impact
As mentioned previously, this reveals the new private group names even after they are removed from project membership!