Elastic Search returns private comments of restricted projects
HackerOne report #710430 by xanbanx on 2019-10-09, assigned to @jeremymatos:
Hi GitLab Security Team,
Summary
I saw that GitLab release two critical security releases regarding the Elastic Search feature.
It seems this is not yet fixed properly. GitLab still returns private comments for restricted public projects.
Here, the project is configured such that features (issues, merge requests, repo, snippets) are restricted to project members only. however, Elastic Search now returns comments, e.g, on issues, MRs, commits, snippets, to unauthenticated users, which are not project members,
Steps to reproduce
Tested on a local installation of GitLab Enterprise Edition 12.3.0-pre f560fedd
- Setup Elastic Search and enable advanced search
- On GitLab, create a public project where all features (issues, repos, merge requests, snippets) are restricted to project members only
- Create an issue with an additional note, a merge request with an additional note, and comment on a commit, and a snippet with a comment
- As an unauthenticated user, search for that comment
Thus, this is leaking:
- the comment
- Issue title
- Merge request title
- Commit Sha
- Snippet title
See the screenshot below.
Impact
Unauthenticated users can search for comments for private comments. Furthermore, they get to know the issue, merge request titles, and snippet titles, but also commit SHAs.
What is the current bug behavior?
Unauthorized users have access to private information such as the comments and related meta information (issue, MR, snippet titles)
What is the expected correct behavior?
Search needs to take project feature visibility into account.
Results of GitLab environment info
This was tested on a local installation of GDK from today.
System information
System: Ubuntu 19.04
Proxy: no
Current User: xanbanx
Using RVM: yes
RVM Version: 1.29.9
Ruby Version: 2.6.3p62
Gem Version: 3.0.6
Bundler Version:1.17.3
Rake Version: 12.3.3
Redis Version: 5.0.3
Git Version: 2.23.0
Sidekiq Version:5.2.7
Go Version: go1.12.6 linux/amd64
GitLab information
Version: 12.3.0-pre
Revision: f560feddaaa
Directory: /home/xanbanx/gdk/gdk/gitlab
DB Adapter: PostgreSQL
DB Version: 11.5
URL: http://localhost:3000
HTTP Clone URL: http://localhost:3000/some-group/some-project.git
SSH Clone URL: ssh://xanbanx@localhost:2222/some-group/some-project.git
Elasticsearch: yes
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 10.0.0
Repository storage paths:
- default: /home/xanbanx/gdk/gdk/repositories
GitLab Shell path: /home/xanbanx/gdk/gdk/gitlab-shell
Git: /usr/bin/git
Best regards,
Xanbanx
Impact
See above.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!