Anonymous user can enumerate all users through `/api/v4/users/:id`
Background
An anonymous user can currently use the API to retrieve information about any GitLab user by either ID or username:
- Anonymous users CANNOT use the API endpoint to list all users. An anonymous request returns 403 Forbidden unless there is a
username
parameter. That is deliberate. From 20f679d6: "The issue filtering frontend code needs access to this [username] API for non-logged-in users + public projects.") - Anonymous users CAN use the API endpoint to get a single user by numeric ID. An anonymous request returns 200 OK with the user's information. This may not be deliberate.
Problem to solve
Anonymous users can enumerate GitLab users through the API endpoint to get a single user (/api/v4/users/:id
), because the :id
values are numeric and sequential. It seems this shouldn't be allowed in general, and also seems different from our treatment of the API endpoint to list all users specifically.
Proposal
Anonymous users should not be able to get user information by ID.
Note: This proposal is only feasible if there is no frontend dependency (like there is with username
lookup).
Since same attack is applicable for /api/v4/users/:id/followers
and /api/v4/users/:id/following
we should require authentication for those endpoints too.
Out of scope
The API endpoint to "lookup users by username" should not be changed, because the frontend relies on this endpoint for anonymous users, and this endpoint is not as vulnerable to enumeration.
Related links
- This problem was noticed in https://gitlab.com/gitlab-org/gitlab/-/issues/288853.