Skip to content

Project API discloses additional information about a project with the `Only Project Members` visibility

Note The main concern of this report is that the issues_template and merge_requests_template information is exposed. There is an existing issue tracking the fix of the shared groups information.

HackerOne report #1255128 by 0xn3va on 2021-07-08, assigned to @ankelly:

Report | How To Reproduce

Report

Summary

For a public project, that provided access to only project members, Gitlab discloses issues/merge request templates and a name of the private group shared with the project.

Steps to reproduce

  1. Log in as an user1

  2. Create private group private-group

  3. Create a public project public-project

  4. Go to the Members page of the public project Project information > Members and invite the private group

  5. Go to the project settings Settings > General and change values from Everyone With Access to Only Project Members within the Visibility, project features, permissions section

  6. On the same page open the Merge requests section and set a default description template of MR within Default description template for merge requests

  7. On the same page open the Default description template for issues section and set a default description template of issues

  8. Log in as an user2

  9. Get the project details via API:

    $ curl -v -X GET -H "PRIVATE-TOKEN: <user-2-token>" "http://0xn3va.gitlab.local/api/v4/projects/<project-id>"

  10. The response contains information about the private group inside shared_with_groups (it is also available in UI) and issue/MR templates inside issues_template/merge_requests_template.

Impact

The shared_with_groups discloses id and full path of private projects. Theissues_template/merge_requests_template discloses the content of templates that may contain sensitive information, internal links, or links to project uploads (such as http://0xn3va.gitlab.local/deepheep/uploads/f2e66c888f453e7584042d22bde49088/filename.txt; since the user2 has the read permissions user2 able to get these uploaded files).

What is the current bug behavior?

Users with reading permission in the project with the Only Project Members visibility have access to values of shared_with_groups, issues_template, merge_requests_template.

What is the expected correct behavior?

Users with reading permission in the project with the Only Project Members visibility should not have access to values of shared_with_groups, issues_template, merge_requests_template.

Relevant logs and/or screenshots

Response example:

{"id":17,"description":"project description","name":"project","name_with_namespace":"deepheep/project","path":"project","path_with_namespace":"deepheep/project","created_at":"2021-07-08T17:25:36.593Z","tag_list":[],"topics":[],"ssh_url_to_repo":"git@0xn3va.gitlab.local:deepheep/project.git","http_url_to_repo":"http://0xn3va.gitlab.local/deepheep/project.git","web_url":"http://0xn3va.gitlab.local/deepheep/project","readme_url":"http://0xn3va.gitlab.local/deepheep/project/-/blob/main/README.md","avatar_url":null,"forks_count":1,"star_count":0,"last_activity_at":"2021-07-08T17:25:36.593Z","namespace":{"id":15,"name":"deepheep","path":"deepheep","kind":"user","full_path":"deepheep,"parent_id":null,"avatar_url":null,"web_url":"http://0xn3va.gitlab.local/deepheep"},"_links":{"self":"http://0xn3va.gitlab.local/api/v4/projects/17","repo_branches":"http://0xn3va.gitlab.local/api/v4/projects/17/repository/branches","labels":"http://0xn3va.gitlab.local/api/v4/projects/17/labels","events":"http://0xn3va.gitlab.local/api/v4/projects/17/events","members":"http://0xn3va.gitlab.local/api/v4/projects/17/members"},"packages_enabled":true,"empty_repo":false,"archived":false,"visibility":"public","resolve_outdated_diff_discussions":false,"container_expiration_policy":{"cadence":"1d","enabled":false,"keep_n":10,"older_than":"90d","name_regex":".*","name_regex_keep":null,"next_run_at":"2021-07-09T17:25:37.343Z"},"issues_enabled":false,"merge_requests_enabled":false,"wiki_enabled":false,"jobs_enabled":false,"snippets_enabled":false,"container_registry_enabled":true,"service_desk_enabled":true,"service_desk_address":"incoming+public-group-project-17-issue-[@]0xn3va.gitlab.local","can_create_merge_request_in":false,"issues_access_level":"private","repository_access_level":"private","merge_requests_access_level":"private","forking_access_level":"private","wiki_access_level":"private","builds_access_level":"private","snippets_access_level":"private","pages_access_level":"enabled","operations_access_level":"private","analytics_access_level":"private","emails_disabled":false,"shared_runners_enabled":true,"lfs_enabled":true,"creator_id":3,"import_status":"none","ci_default_git_depth":50,"ci_forward_deployment_enabled":true,"ci_job_token_scope_enabled":true,"public_jobs":true,"build_timeout":3600,"auto_cancel_pending_pipelines":"enabled","build_coverage_regex":null,"shared_with_groups":[{"group_id":14,"group_name":"private-group","group_full_path":"private-group","group_access_level":30,"expires_at":null}],"only_allow_merge_if_pipeline_succeeds":false,"allow_merge_on_skipped_pipeline":false,"restrict_user_defined_variables":false,"request_access_enabled":true,"only_allow_merge_if_all_discussions_are_resolved":false,"remove_source_branch_after_merge":true,"printing_merge_request_link_enabled":true,"merge_method":"merge","squash_option":"default_off","suggestion_commit_message":"","auto_devops_enabled":true,"auto_devops_deploy_strategy":"continuous","autoclose_referenced_issues":true,"keep_latest_artifact":true,"approvals_before_merge":0,"mirror":false,"external_authorization_classification_label":null,"marked_for_deletion_at":null,"marked_for_deletion_on":null,"requirements_enabled":true,"security_and_compliance_enabled":false,"compliance_frameworks":[],"issues_template":"wdfdsfdsgsdg","merge_requests_template":"dsjfsdkjfnds","permissions":{"project_access":null,"group_access":null}}
Output of checks
Results of GitLab environment info
$ gitlab-rake gitlab:env:info

System information  
System:  
Proxy:		no  
Current User:	git  
Using RVM:	no  
Ruby Version:	2.7.2p137  
Gem Version:	3.1.4  
Bundler Version:2.1.4  
Rake Version:	13.0.3  
Redis Version:	6.0.14  
Git Version:	2.32.0  
Sidekiq Version:5.2.9  
Go Version:	unknown

GitLab information  
Version:	14.0.2-ee  
Revision:	2504e045362  
Directory:	/opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:	PostgreSQL  
DB Version:	12.6  
URL:		http://0xn3va.gitlab.local  
HTTP Clone URL:	http://0xn3va.gitlab.local/some-group/some-project.git  
SSH Clone URL:	git@0xn3va.gitlab.local:some-group/some-project.git  
Elasticsearch:	no  
Geo:		no  
Using LDAP:	no  
Using Omniauth:	yes  
Omniauth Providers: gitlab

GitLab Shell  
Version:	13.19.0  
Repository storage paths:  
- default: 	/var/opt/gitlab/git-data/repositories  
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell  
Git:		/opt/gitlab/embedded/bin/git

Impact

The shared_with_groups discloses id and full path of private projects. Theissues_template/merge_requests_template discloses the content of templates that may contain sensitive information, internal links, or links to project uploads (such as http://0xn3va.gitlab.local/deepheep/uploads/f2e66c888f453e7584042d22bde49088/filename.txt; since the user2 has the read permissions user2 able to get these uploaded files).

Edited by Andrew Kelly