Skip to content

WebIDE discloses information about private projects

HackerOne report #1167218 by 0xn3va on 2021-04-17, assigned to GitLab Team:

Report | How To Reproduce

Report

Summary

When you open a project in WebIDE at the /-/ide/project/<full_project_path> path, the IdeController searches for the project using the following method:

  def project  
    strong_memoize(:project) do  
      next unless params[:project_id].present?

      Project.find_by_full_path(params[:project_id])  
    end  
  end

The result of searching is used inside IdeHelper.ide_data:

module IdeHelper  
  def ide_data  
    {  
      # ...  
      'project' => convert_to_project_entity_json([@]project)  
    }  
  end

The 'project' value is gone to the app/views/ide/_show.html.haml template. Since the IdeController.project does not check permissions the /-/ide/project/<full_project_path> discloses information about private projects.

Steps to reproduce
  1. Log in as a user1
  2. Create and initialize a private project
  3. Log in as a user2
  4. Go to the following path: /-/ide/project/<user1>/<private-project>
  5. Open the page sources and find the project data by the data-project= keyword
Impact

Disclosure information about private projects

What is the current bug behavior?

IdeController does not check permissions when searching for a full path project and details of private projects are disclosed.

What is the expected correct behavior?

IdeController implements checks when searching for a full path project.

Relevant logs and/or screenshots

Example of disclosed information:

{
  "id": 25957107,  
  "description": "A ready-to-go template for Swift-based iOS development.",  
  "name": "private-ios-tmpl",  
  "name_with_namespace": "Deep Heep / private-ios-tmpl",  
  "path": "private-ios-tmpl",  
  "path_with_namespace": "deeepheep/private-ios-tmpl",  
  "created_at": "2021-04-17T11:12:17.964Z",  
  "tag_list": [],  
  "ssh_url_to_repo": "git@gitlab.com:deeepheep/private-ios-tmpl.git",  
  "http_url_to_repo": "https://gitlab.com/deeepheep/private-ios-tmpl.git",  
  "web_url": "https://gitlab.com/deeepheep/private-ios-tmpl",  
  "readme_url": "https://gitlab.com/deeepheep/private-ios-tmpl/-/blob/master/README.md",  
  "avatar_url": null,  
  "forks_count": 0,  
  "star_count": 0,  
  "last_activity_at": "2021-04-17T11:12:17.964Z",  
  "namespace": {  
    "id": 11748588,  
    "name": "Deep Heep",  
    "path": "deeepheep",  
    "kind": "user",  
    "full_path": "deeepheep",  
    "parent_id": null,  
    "avatar_url": "https://secure.gravatar.com/avatar/96dbe4fc039d860eb9a66492e192f5fa?s=80&d=identicon",  
    "web_url": "https://gitlab.com/deeepheep"  
  },  
  "container_registry_image_prefix": "registry.gitlab.com/deeepheep/private-ios-tmpl",  
  "_links": {  
    "self": "https://gitlab.com/api/v4/projects/25957107",  
    "issues": "https://gitlab.com/api/v4/projects/25957107/issues",  
    "merge_requests": "https://gitlab.com/api/v4/projects/25957107/merge_requests",  
    "repo_branches": "https://gitlab.com/api/v4/projects/25957107/repository/branches",  
    "labels": "https://gitlab.com/api/v4/projects/25957107/labels",  
    "events": "https://gitlab.com/api/v4/projects/25957107/events",  
    "members": "https://gitlab.com/api/v4/projects/25957107/members"  
  },  
  "packages_enabled": true,  
  "empty_repo": false,  
  "archived": false,  
  "visibility": "private",  
  "owner": {  
    "id": 8693729,  
    "name": "Deep Heep",  
    "username": "deeepheep",  
    "state": "active",  
    "avatar_url": "https://secure.gravatar.com/avatar/96dbe4fc039d860eb9a66492e192f5fa?s=80&d=identicon",  
    "web_url": "https://gitlab.com/deeepheep"  
  },  
  "resolve_outdated_diff_discussions": false,  
  "container_registry_enabled": true,  
  "container_expiration_policy": {  
    "cadence": "1d",  
    "enabled": false,  
    "keep_n": 10,  
    "older_than": "90d",  
    "name_regex": ".*",  
    "name_regex_keep": null,  
    "next_run_at": "2021-04-18T11:12:17.977Z"  
  },  
  "issues_enabled": true,  
  "merge_requests_enabled": true,  
  "wiki_enabled": true,  
  "jobs_enabled": true,  
  "snippets_enabled": true,  
  "service_desk_enabled": true,  
  "service_desk_address": "incoming deeepheep-private-ios-tmpl-25957107-issue-[@]incoming.gitlab.com",  
  "can_create_merge_request_in": false,  
  "issues_access_level": "enabled",  
  "repository_access_level": "enabled",  
  "merge_requests_access_level": "enabled",  
  "forking_access_level": "enabled",  
  "wiki_access_level": "enabled",  
  "builds_access_level": "enabled",  
  "snippets_access_level": "enabled",  
  "pages_access_level": "enabled",  
  "operations_access_level": "enabled",  
  "analytics_access_level": "enabled",  
  "emails_disabled": null,  
  "shared_runners_enabled": true,  
  "lfs_enabled": true,  
  "creator_id": 8693729,  
  "import_status": "finished",  
  "open_issues_count": 0,  
  "ci_default_git_depth": 50,  
  "ci_forward_deployment_enabled": true,  
  "public_jobs": true,  
  "build_timeout": 3600,  
  "auto_cancel_pending_pipelines": "enabled",  
  "build_coverage_regex": null,  
  "shared_with_groups": [],  
  "only_allow_merge_if_pipeline_succeeds": false,  
  "allow_merge_on_skipped_pipeline": null,  
  "restrict_user_defined_variables": false,  
  "request_access_enabled": false,  
  "only_allow_merge_if_all_discussions_are_resolved": false,  
  "remove_source_branch_after_merge": true,  
  "printing_merge_request_link_enabled": true,  
  "merge_method": "merge",  
  "suggestion_commit_message": null,  
  "auto_devops_enabled": false,  
  "auto_devops_deploy_strategy": "continuous",  
  "autoclose_referenced_issues": true,  
  "external_authorization_classification_label": "",  
  "requirements_enabled": false,  
  "security_and_compliance_enabled": null,  
  "compliance_frameworks": []  
}
Output of checks

This bug happens on GitLab.com

Impact

Disclosure information about private projects

How To Reproduce

Please add reproducibility information to this section: