Skip to content

Default branch visible despite no permissions to repository

Update: per Michelle's comment here

The issue outlined in the description has been resolved, however, additional findings occurred during the security review: gitlab-org/security/gitlab#103 (comment 333022117)

curl -s https://staging.gitlab.com/dcouture/norepoaccess | grep this_is_the_default_branch

<input type="hidden" name="repository_ref" id="repository_ref" value="this_is_the_default_branch" />
<div class="search-autocomplete-opts hide" data-autocomplete-path="/search/autocomplete" data-autocomplete-project-id="4588281" data-autocomplete-project-ref="this_is_the_default_branch"></div>
</a></li><li class=""><a class="shortcuts-repository-charts" title="Repository" href="/dcouture/norepoaccess/-/graphs/this_is_the_default_branch/charts"><span>Repository</span>

HackerOne report #706361 by ashish_r_padelkar on 2019-10-02, assigned to @cmaxim:

Summary

Hello,

The default branch should not be visible to guest/non-member users when they do not have any access to repository. However, default branch is still visible to such users.

I am reporting this issue as similar report was resolved before #531694 which exposes default branch when there was no access to repository.

Steps to reproduce

  1. Create a public project with non access to repository for non members. This can be done by setting repository as Only Project Members.

  2. This should ensure that no information related to repository is visible to non members

  3. Now , as a non member, just visit to project details pages https://gitlab.com/<UserName>/<ProjectName> and do the inspect element of browser.

  4. In Body html tag, you should see data-find-file attribute which exposes default branch. Note that default branch can be set to anything by admins.

Screenshot_2019-10-02_at_17.17.31.png

Examples

You can see my project here at https://gitlab.com/gitlabadminuser/thisispublicproject and follow the above steps to know default branch from this project.

What is the current bug behavior?

Default branch is visible to non members when they do not have any access to repository

What is the expected correct behavior?

None of the repository related information should be visible to non members when they do not have access

Output of checks

This bug happens on GitLab.com and might be on omnibus installations too.

Regards,
Ashish

Impact

This bug exposes default branch to

  1. Non members in public project when repository is only project members
  2. Guest in private project can see when they do not have any access to repository
  3. No badges setup in projects/groups
  4. Public pipelines are disabled

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

Edited by Gary Holtz