Default branch visible despite no permissions to repository
Update: per Michelle's comment here
The issue outlined in the description has been resolved, however, additional findings occurred during the security review: gitlab-org/security/gitlab#103 (comment 333022117)
curl -s https://staging.gitlab.com/dcouture/norepoaccess | grep this_is_the_default_branch
<input type="hidden" name="repository_ref" id="repository_ref" value="this_is_the_default_branch" />
<div class="search-autocomplete-opts hide" data-autocomplete-path="/search/autocomplete" data-autocomplete-project-id="4588281" data-autocomplete-project-ref="this_is_the_default_branch"></div>
</a></li><li class=""><a class="shortcuts-repository-charts" title="Repository" href="/dcouture/norepoaccess/-/graphs/this_is_the_default_branch/charts"><span>Repository</span>
HackerOne report #706361 by ashish_r_padelkar
on 2019-10-02, assigned to @cmaxim:
Summary
Hello,
The default branch should not be visible to guest/non-member users when they do not have any access to repository. However, default branch is still visible to such users.
I am reporting this issue as similar report was resolved before #531694 which exposes default branch when there was no access to repository.
Steps to reproduce
-
Create a public project with non access to repository for non members. This can be done by setting repository as
Only Project Members
. -
This should ensure that no information related to repository is visible to non members
-
Now , as a non member, just visit to project details pages
https://gitlab.com/<UserName>/<ProjectName>
and do the inspect element of browser. -
In
Body
html tag, you should seedata-find-file
attribute which exposes default branch. Note that default branch can be set to anything by admins.
Examples
You can see my project here at https://gitlab.com/gitlabadminuser/thisispublicproject
and follow the above steps to know default branch from this project.
What is the current bug behavior?
Default branch is visible to non members when they do not have any access to repository
What is the expected correct behavior?
None of the repository related information should be visible to non members when they do not have access
Output of checks
This bug happens on GitLab.com and might be on omnibus installations too.
Regards,
Ashish
Impact
This bug exposes default branch to
- Non members in public project when repository is
only project members
- Guest in private project can see when they do not have any access to repository
- No badges setup in projects/groups
- Public pipelines are disabled
Attachments
Warning: Attachments received through HackerOne, please exercise caution!