Pipeline & Docker Job log leaked via API

HackerOne report #651649 by rizkylab on 2019-07-20, assigned to hackerjuan:

GitLab allows to restrict the project features for public projects. When disabling all features of a public project for non-project members under https://gitlab.com/rizkylab/test/-/jobs/255046282/trace.json , full log is still possible via API.

Steps to reproduce

Reproduced on gitlab-runner 12.1.0-rc1 (6da35412)

1. • Create a public project,
2. • Testing Run pipeline

I have testing on --> https://gitlab.com/rizkylab/test/-/jobs/255046282/trace.json
As a non-project member perform the following API request (substitute the project id)
Although the user does not have access to the project and is no project member, the API returns:

Impact

Related to upcoming security job log, etc..

Impact

Docker job log is leakage

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• jobs_pipeline_leaked_docker_log.png