Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #350476
Closed
Open
Issue created Jan 17, 2022 by Pavel Shutsin@pshutsin🔮Maintainer

Users can be searched by exact email match even if email is private

Summary

Extracted from https://gitlab.com/gitlab-org/gitlab/-/issues/29073#note_750601380

Currently system allows to search by exact match of private email. It creates a vulnerability were potential emails list can be asserted via API to find active profiles on gitlab.com and associate those emails with public profile information.

For example:

  1. Attacker has list of 100 possible emails one of them is my_private_email@gitlab.com.
  2. Attacker requests GraphQL with users(search: "my_private_email@gitlab.com") and gets public information about my profile even if given email is private and not exposed on my profile page.

Solution proposal

Users shouldn't be searchable by their private emails even with exact match. That includes GraphQL searches, REST API searches and UI pages.

See more

Long original discussion: https://gitlab.com/gitlab-org/gitlab/-/issues/29073#note_722297169

Assignee
Assign to
Time tracking