Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 52,401
    • Issues 52,401
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1,551
    • Merge requests 1,551
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #297473
Closed
Open
Issue created Jan 13, 2021 by Ron Chan@rchan-gitlabContributor

Anonymous user can enumerate all users through `/api/v4/users/:id`

Background

An anonymous user can currently use the API to retrieve information about any GitLab user by either ID or username:

  • Anonymous users CANNOT use the API endpoint to list all users. An anonymous request returns 403 Forbidden unless there is a username parameter. That is deliberate. From 20f679d6: "The issue filtering frontend code needs access to this [username] API for non-logged-in users + public projects.")
  • Anonymous users CAN use the API endpoint to get a single user by numeric ID. An anonymous request returns 200 OK with the user's information. This may not be deliberate.

Problem to solve

Anonymous users can enumerate GitLab users through the API endpoint to get a single user (/api/v4/users/:id), because the :id values are numeric and sequential. It seems this shouldn't be allowed in general, and also seems different from our treatment of the API endpoint to list all users specifically.

Proposal

Anonymous users should not be able to get user information by ID.

Note: This proposal is only feasible if there is no frontend dependency (like there is with username lookup).

Since same attack is applicable for /api/v4/users/:id/followers and /api/v4/users/:id/following we should require authentication for those endpoints too.

Out of scope

The API endpoint to "lookup users by username" should not be changed, because the frontend relies on this endpoint for anonymous users, and this endpoint is not as vulnerable to enumeration.

Related links

  • This problem was noticed in https://gitlab.com/gitlab-org/gitlab/-/issues/288853.
Edited Sep 02, 2021 by Pavel Shutsin
Assignee
Assign to
Time tracking