Skip to content

Private user email disclosure via group invitation

HackerOne report #1204320 by jimeno on 2021-05-20, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

GitLab paid plans support group administrators to restrict group memberships by email domain. For example, a grpup administrator can create a setting so that all group members must have a gitlab.com email address. Related documentation can be found here.

Thanks to it, any GitLab who can create a group can leak other users email address, even when these are configured as private

Steps to reproduce

NOTE: Please, use an Ultimate GitLab instance as that's the one I used.

  1. Create a GitLab group and enable domain restrictions. Only add gitlab.com to the allow-list.

    email_restriction.png

  2. Create a new GitLab user and make sure their profile is private by following the official linked documentation.

    private_settings.png

  3. As your attacker, visit their profile https://your-instance.tld/private and make sure GitLab says the profile is private.

    private_view.png

  4. Try to invite the user to the group (you will need to know their username) and notice the error in a red textbox on top of the page displays their email address to you.

    email_disclosure.png

recording-1621534191673.webm

Impact

Email address disclosure.

Examples

N/A.

What is the current bug behavior?

Email address of user is displayed to attacker when group invitation fails.

What is the expected correct behavior?

Error message is displayed to the attacker while respecting invited user's privacy settings.

Relevant logs and/or screenshots

N/A.

Output of checks

N/A.

Results of GitLab environment info
root@rigel:/# gitlab-rake gitlab:env:info

System information  
System:  
Proxy:		no  
Current User:	git  
Using RVM:	no  
Ruby Version:	2.7.2p137  
Gem Version:	3.1.4  
Bundler Version:2.1.4  
Rake Version:	13.0.3  
Redis Version:	6.0.12  
Git Version:	2.31.1  
Sidekiq Version:5.2.9  
Go Version:	unknown

GitLab information  
Version:	13.11.4-ee  
Revision:	d1a2e182d3b  
Directory:	/opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:	PostgreSQL  
DB Version:	12.6  
URL:		https://rigel.wiki  
HTTP Clone URL:	https://rigel.wiki/some-group/some-project.git  
SSH Clone URL:	git@rigel.wiki:some-group/some-project.git  
Elasticsearch:	no  
Geo:		no  
Using LDAP:	no  
Using Omniauth:	yes  
Omniauth Providers: auth0

GitLab Shell  
Version:	13.17.0  
Repository storage paths:  
- default: 	/var/opt/gitlab/git-data/repositories  
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell  
Git:		/opt/gitlab/embedded/bin/git

Impact

Email address disclosure.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

Proposal

A fix proposal is discussed here.

Edited by Rohit Shambhuni