The /users/:username/exists action shouldn't be available when GitLab instance doesn't allow registration
Summary
It's possible to enumerate a GitLab instance's usernames with the /users/:username/exists
route. On an instance where registration is enabled there's nothing we can really do to protect against this as even if this API didn't exist there's a point in the registration where we have to tell the user if the username exists or not. However, when registration is disabled the /users/:username/exists
route should require authentication.
This is a follow-up to #297473 (comment 803416759)
Steps to reproduce
See that the API is accessible on ops.gitlab.net even if the instance doesn't allow registration.
https://ops.gitlab.net/users/dcouture/exists
https://ops.gitlab.net/users/dcouture-does-not-exist/exists
Example Project
What is the current bug behavior?
/users/:username/exists
is available even when registration is disabled
What is the expected correct behavior?
/users/:username/exists
should be available only to authenticated users when registration is disabled
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
I think something like this should work
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 26f56307862..a3209ee3617 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -145,6 +145,8 @@ def calendar_activities
end
def exists
+ unauthorized! unless Gitlab::CurrentSettings.signup_enabled? || current_user
+
render json: { exists: !!Namespace.find_by_path_or_name(params[:username]) }
end