Elastic Search returns private comments of restricted projects

HackerOne report #710430 by xanbanx on 2019-10-09, assigned to @jeremymatos:

Hi GitLab Security Team,

Summary

I saw that GitLab release two critical security releases regarding the Elastic Search feature.
It seems this is not yet fixed properly. GitLab still returns private comments for restricted public projects.

Here, the project is configured such that features (issues, merge requests, repo, snippets) are restricted to project members only. however, Elastic Search now returns comments, e.g, on issues, MRs, commits, snippets, to unauthenticated users, which are not project members,

Steps to reproduce

Tested on a local installation of GitLab Enterprise Edition 12.3.0-pre f560fedd

  1. Setup Elastic Search and enable advanced search
  2. On GitLab, create a public project where all features (issues, repos, merge requests, snippets) are restricted to project members only
  3. Create an issue with an additional note, a merge request with an additional note, and comment on a commit, and a snippet with a comment
  4. As an unauthenticated user, search for that comment

Thus, this is leaking:

  • the comment
  • Issue title
  • Merge request title
  • Commit Sha
  • Snippet title

See the screenshot below.

Impact

Unauthenticated users can search for comments for private comments. Furthermore, they get to know the issue, merge request titles, and snippet titles, but also commit SHAs.

What is the current bug behavior?

Unauthorized users have access to private information such as the comments and related meta information (issue, MR, snippet titles)

What is the expected correct behavior?

Search needs to take project feature visibility into account.

Results of GitLab environment info

This was tested on a local installation of GDK from today.

System information  
System:         Ubuntu 19.04  
Proxy:          no  
Current User:   xanbanx  
Using RVM:      yes  
RVM Version:    1.29.9  
Ruby Version:   2.6.3p62  
Gem Version:    3.0.6  
Bundler Version:1.17.3  
Rake Version:   12.3.3  
Redis Version:  5.0.3  
Git Version:    2.23.0  
Sidekiq Version:5.2.7  
Go Version:     go1.12.6 linux/amd64

GitLab information  
Version:        12.3.0-pre  
Revision:       f560feddaaa  
Directory:      /home/xanbanx/gdk/gdk/gitlab  
DB Adapter:     PostgreSQL  
DB Version:     11.5  
URL:            http://localhost:3000  
HTTP Clone URL: http://localhost:3000/some-group/some-project.git  
SSH Clone URL:  ssh://xanbanx@localhost:2222/some-group/some-project.git  
Elasticsearch:  yes  
Geo:            no  
Using LDAP:     no  
Using Omniauth: yes  
Omniauth Providers: 

GitLab Shell  
Version:        10.0.0  
Repository storage paths:  
- default:      /home/xanbanx/gdk/gdk/repositories  
GitLab Shell path:              /home/xanbanx/gdk/gdk/gitlab-shell  
Git:            /usr/bin/git

Best regards,
Xanbanx

Impact

See above.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!