Project API discloses additional information about a project with the `Only Project Members` visibility
Note The main concern of this report is that the issues_template
and merge_requests_template
information is exposed. There is an existing issue tracking the fix of the shared groups
information.
HackerOne report #1255128 by 0xn3va
on 2021-07-08, assigned to @ankelly:
Report
Summary
For a public project, that provided access to only project members, Gitlab discloses issues/merge request templates and a name of the private group shared with the project.
Steps to reproduce
-
Log in as an
user1
-
Create private group
private-group
-
Create a public project
public-project
-
Go to the Members page of the public project
Project information > Members
and invite the private group -
Go to the project settings
Settings > General
and change values fromEveryone With Access
toOnly Project Members
within theVisibility, project features, permissions
section -
On the same page open the
Merge requests
section and set a default description template of MR withinDefault description template for merge requests
-
On the same page open the
Default description template for issues
section and set a default description template of issues -
Log in as an
user2
-
Get the project details via API:
$ curl -v -X GET -H "PRIVATE-TOKEN: <user-2-token>" "http://0xn3va.gitlab.local/api/v4/projects/<project-id>"
-
The response contains information about the private group inside
shared_with_groups
(it is also available in UI) and issue/MR templates insideissues_template
/merge_requests_template
.
Impact
The shared_with_groups
discloses id and full path of private projects. Theissues_template
/merge_requests_template
discloses the content of templates that may contain sensitive information, internal links, or links to project uploads (such as http://0xn3va.gitlab.local/deepheep/uploads/f2e66c888f453e7584042d22bde49088/filename.txt
; since the user2
has the read permissions user2
able to get these uploaded files).
What is the current bug behavior?
Users with reading permission in the project with the Only Project Members
visibility have access to values of shared_with_groups
, issues_template
, merge_requests_template
.
What is the expected correct behavior?
Users with reading permission in the project with the Only Project Members
visibility should not have access to values of shared_with_groups
, issues_template
, merge_requests_template
.
Relevant logs and/or screenshots
Response example:
{"id":17,"description":"project description","name":"project","name_with_namespace":"deepheep/project","path":"project","path_with_namespace":"deepheep/project","created_at":"2021-07-08T17:25:36.593Z","tag_list":[],"topics":[],"ssh_url_to_repo":"git@0xn3va.gitlab.local:deepheep/project.git","http_url_to_repo":"http://0xn3va.gitlab.local/deepheep/project.git","web_url":"http://0xn3va.gitlab.local/deepheep/project","readme_url":"http://0xn3va.gitlab.local/deepheep/project/-/blob/main/README.md","avatar_url":null,"forks_count":1,"star_count":0,"last_activity_at":"2021-07-08T17:25:36.593Z","namespace":{"id":15,"name":"deepheep","path":"deepheep","kind":"user","full_path":"deepheep,"parent_id":null,"avatar_url":null,"web_url":"http://0xn3va.gitlab.local/deepheep"},"_links":{"self":"http://0xn3va.gitlab.local/api/v4/projects/17","repo_branches":"http://0xn3va.gitlab.local/api/v4/projects/17/repository/branches","labels":"http://0xn3va.gitlab.local/api/v4/projects/17/labels","events":"http://0xn3va.gitlab.local/api/v4/projects/17/events","members":"http://0xn3va.gitlab.local/api/v4/projects/17/members"},"packages_enabled":true,"empty_repo":false,"archived":false,"visibility":"public","resolve_outdated_diff_discussions":false,"container_expiration_policy":{"cadence":"1d","enabled":false,"keep_n":10,"older_than":"90d","name_regex":".*","name_regex_keep":null,"next_run_at":"2021-07-09T17:25:37.343Z"},"issues_enabled":false,"merge_requests_enabled":false,"wiki_enabled":false,"jobs_enabled":false,"snippets_enabled":false,"container_registry_enabled":true,"service_desk_enabled":true,"service_desk_address":"incoming+public-group-project-17-issue-[@]0xn3va.gitlab.local","can_create_merge_request_in":false,"issues_access_level":"private","repository_access_level":"private","merge_requests_access_level":"private","forking_access_level":"private","wiki_access_level":"private","builds_access_level":"private","snippets_access_level":"private","pages_access_level":"enabled","operations_access_level":"private","analytics_access_level":"private","emails_disabled":false,"shared_runners_enabled":true,"lfs_enabled":true,"creator_id":3,"import_status":"none","ci_default_git_depth":50,"ci_forward_deployment_enabled":true,"ci_job_token_scope_enabled":true,"public_jobs":true,"build_timeout":3600,"auto_cancel_pending_pipelines":"enabled","build_coverage_regex":null,"shared_with_groups":[{"group_id":14,"group_name":"private-group","group_full_path":"private-group","group_access_level":30,"expires_at":null}],"only_allow_merge_if_pipeline_succeeds":false,"allow_merge_on_skipped_pipeline":false,"restrict_user_defined_variables":false,"request_access_enabled":true,"only_allow_merge_if_all_discussions_are_resolved":false,"remove_source_branch_after_merge":true,"printing_merge_request_link_enabled":true,"merge_method":"merge","squash_option":"default_off","suggestion_commit_message":"","auto_devops_enabled":true,"auto_devops_deploy_strategy":"continuous","autoclose_referenced_issues":true,"keep_latest_artifact":true,"approvals_before_merge":0,"mirror":false,"external_authorization_classification_label":null,"marked_for_deletion_at":null,"marked_for_deletion_on":null,"requirements_enabled":true,"security_and_compliance_enabled":false,"compliance_frameworks":[],"issues_template":"wdfdsfdsgsdg","merge_requests_template":"dsjfsdkjfnds","permissions":{"project_access":null,"group_access":null}}
Output of checks
Results of GitLab environment info
$ gitlab-rake gitlab:env:info
System information
System:
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.7.2p137
Gem Version: 3.1.4
Bundler Version:2.1.4
Rake Version: 13.0.3
Redis Version: 6.0.14
Git Version: 2.32.0
Sidekiq Version:5.2.9
Go Version: unknown
GitLab information
Version: 14.0.2-ee
Revision: 2504e045362
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 12.6
URL: http://0xn3va.gitlab.local
HTTP Clone URL: http://0xn3va.gitlab.local/some-group/some-project.git
SSH Clone URL: git@0xn3va.gitlab.local:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers: gitlab
GitLab Shell
Version: 13.19.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Impact
The shared_with_groups
discloses id and full path of private projects. Theissues_template
/merge_requests_template
discloses the content of templates that may contain sensitive information, internal links, or links to project uploads (such as http://0xn3va.gitlab.local/deepheep/uploads/f2e66c888f453e7584042d22bde49088/filename.txt
; since the user2
has the read permissions user2
able to get these uploaded files).