WebIDE discloses information about private projects
View options
HackerOne report #1167218 by 0xn3va on 2021-04-17, assigned to GitLab Team:
Report
Summary
When you open a project in WebIDE at the /-/ide/project/<full_project_path> path, the IdeController searches for the project using the following method:
def project
strong_memoize(:project) do
next unless params[:project_id].present?
Project.find_by_full_path(params[:project_id])
end
end The result of searching is used inside IdeHelper.ide_data:
module IdeHelper
def ide_data
{
# ...
'project' => convert_to_project_entity_json([@]project)
}
end The 'project' value is gone to the app/views/ide/_show.html.haml template. Since the IdeController.project does not check permissions the /-/ide/project/<full_project_path> discloses information about private projects.
Steps to reproduce
- Log in as a
user1 - Create and initialize a private project
- Log in as a
user2 - Go to the following path:
/-/ide/project/<user1>/<private-project> - Open the page sources and find the project data by the
data-project=keyword
Impact
Disclosure information about private projects
What is the current bug behavior?
IdeController does not check permissions when searching for a full path project and details of private projects are disclosed.
What is the expected correct behavior?
IdeController implements checks when searching for a full path project.
Relevant logs and/or screenshots
Example of disclosed information:
{
"id": 25957107,
"description": "A ready-to-go template for Swift-based iOS development.",
"name": "private-ios-tmpl",
"name_with_namespace": "Deep Heep / private-ios-tmpl",
"path": "private-ios-tmpl",
"path_with_namespace": "deeepheep/private-ios-tmpl",
"created_at": "2021-04-17T11:12:17.964Z",
"tag_list": [],
"ssh_url_to_repo": "git@gitlab.com:deeepheep/private-ios-tmpl.git",
"http_url_to_repo": "https://gitlab.com/deeepheep/private-ios-tmpl.git",
"web_url": "https://gitlab.com/deeepheep/private-ios-tmpl",
"readme_url": "https://gitlab.com/deeepheep/private-ios-tmpl/-/blob/master/README.md",
"avatar_url": null,
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2021-04-17T11:12:17.964Z",
"namespace": {
"id": 11748588,
"name": "Deep Heep",
"path": "deeepheep",
"kind": "user",
"full_path": "deeepheep",
"parent_id": null,
"avatar_url": "https://secure.gravatar.com/avatar/96dbe4fc039d860eb9a66492e192f5fa?s=80&d=identicon",
"web_url": "https://gitlab.com/deeepheep"
},
"container_registry_image_prefix": "registry.gitlab.com/deeepheep/private-ios-tmpl",
"_links": {
"self": "https://gitlab.com/api/v4/projects/25957107",
"issues": "https://gitlab.com/api/v4/projects/25957107/issues",
"merge_requests": "https://gitlab.com/api/v4/projects/25957107/merge_requests",
"repo_branches": "https://gitlab.com/api/v4/projects/25957107/repository/branches",
"labels": "https://gitlab.com/api/v4/projects/25957107/labels",
"events": "https://gitlab.com/api/v4/projects/25957107/events",
"members": "https://gitlab.com/api/v4/projects/25957107/members"
},
"packages_enabled": true,
"empty_repo": false,
"archived": false,
"visibility": "private",
"owner": {
"id": 8693729,
"name": "Deep Heep",
"username": "deeepheep",
"state": "active",
"avatar_url": "https://secure.gravatar.com/avatar/96dbe4fc039d860eb9a66492e192f5fa?s=80&d=identicon",
"web_url": "https://gitlab.com/deeepheep"
},
"resolve_outdated_diff_discussions": false,
"container_registry_enabled": true,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2021-04-18T11:12:17.977Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": true,
"jobs_enabled": true,
"snippets_enabled": true,
"service_desk_enabled": true,
"service_desk_address": "incoming deeepheep-private-ios-tmpl-25957107-issue-[@]incoming.gitlab.com",
"can_create_merge_request_in": false,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "enabled",
"builds_access_level": "enabled",
"snippets_access_level": "enabled",
"pages_access_level": "enabled",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 8693729,
"import_status": "finished",
"open_issues_count": 0,
"ci_default_git_depth": 50,
"ci_forward_deployment_enabled": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"build_coverage_regex": null,
"shared_with_groups": [],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": false,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"suggestion_commit_message": null,
"auto_devops_enabled": false,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"external_authorization_classification_label": "",
"requirements_enabled": false,
"security_and_compliance_enabled": null,
"compliance_frameworks": []
}Output of checks
This bug happens on GitLab.com
Impact
Disclosure information about private projects
How To Reproduce
Please add reproducibility information to this section:
Link items together to show that they're related or that one is blocking others.