Elastic Search returns private comments of restricted projects
Hi GitLab Security Team,
I saw that GitLab release two critical security releases regarding the Elastic Search feature.
It seems this is not yet fixed properly. GitLab still returns private comments for restricted public projects.
Here, the project is configured such that features (issues, merge requests, repo, snippets) are restricted to project members only. however, Elastic Search now returns comments, e.g, on issues, MRs, commits, snippets, to unauthenticated users, which are not project members,
Steps to reproduce
Tested on a local installation of GitLab Enterprise Edition 12.3.0-pre f560fedd
- Setup Elastic Search and enable advanced search
- On GitLab, create a public project where all features (issues, repos, merge requests, snippets) are restricted to project members only
- Create an issue with an additional note, a merge request with an additional note, and comment on a commit, and a snippet with a comment
- As an unauthenticated user, search for that comment
Thus, this is leaking:
- the comment
- Issue title
- Merge request title
- Commit Sha
- Snippet title
See the screenshot below.
Unauthenticated users can search for comments for private comments. Furthermore, they get to know the issue, merge request titles, and snippet titles, but also commit SHAs.
What is the current bug behavior?
Unauthorized users have access to private information such as the comments and related meta information (issue, MR, snippet titles)
What is the expected correct behavior?
Search needs to take project feature visibility into account.
Results of GitLab environment info
This was tested on a local installation of GDK from today.
System information System: Ubuntu 19.04 Proxy: no Current User: xanbanx Using RVM: yes RVM Version: 1.29.9 Ruby Version: 2.6.3p62 Gem Version: 3.0.6 Bundler Version:1.17.3 Rake Version: 12.3.3 Redis Version: 5.0.3 Git Version: 2.23.0 Sidekiq Version:5.2.7 Go Version: go1.12.6 linux/amd64 GitLab information Version: 12.3.0-pre Revision: f560feddaaa Directory: /home/xanbanx/gdk/gdk/gitlab DB Adapter: PostgreSQL DB Version: 11.5 URL: http://localhost:3000 HTTP Clone URL: http://localhost:3000/some-group/some-project.git SSH Clone URL: ssh://[email protected]:2222/some-group/some-project.git Elasticsearch: yes Geo: no Using LDAP: no Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 10.0.0 Repository storage paths: - default: /home/xanbanx/gdk/gdk/repositories GitLab Shell path: /home/xanbanx/gdk/gdk/gitlab-shell Git: /usr/bin/git
Warning: Attachments received through HackerOne, please exercise caution!