Elasticsearch leaks default branch name for public projects with private repositories
HackerOne report #1418431 by rpadovani
on 2021-12-07, assigned to @rshambhuni:
Report | Attachments | How To Reproduce
Report
Summary
Building the right search query, it is possible to retrieve the default branch name of a public project with private repository access.
Steps to reproduce
- The project needs to have Elasticsearch indexing active;
- You do a search for anything at project level
- You change the parameters of the URL. In particular, you set
scope=blob
, andrepository_ref=null
- The result page will tell you
Advanced search is disabled since null is not the default branch; search on <default_branch> instead.
Impact
Disclosure of the name of the default branch of any public project with private repo.
Examples
What is the current bug behavior?
While I cannot access the code, I can retrieve the default branch name
What is the expected correct behavior?
The advice of on which branch should I search, should be deactivated if I cannot access the repo
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Impact
Disclosure of the name of the default branch of any public project with private repo.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: