Last commit message, description & sha1 hash of a private repo in a private group is leaked to guest users through merge request
HackerOne report #1465994 by albatraoz
on 2022-01-31, assigned to GitLab Team
:
Report | Attachments | How To Reproduce
Report
Summary
Commit related details like commit message, description, sha1, etc are leaked to demoted guest users who should not have access to the repository of a private project according to the permission model. This information is leaked through a fork of the project created by the user(reporter/developer) before being demoted to guest. Once being demoted to guest, the user is able to sneak all the latest commits to the parent branch.
Steps to reproduce
- Create a private project in a group as user A.
- Add User B as a reporter to this project.
- As User B create a fork of the project on you personal namespace.
- As User A demote User B to guest from the group settings.
- As User B visit the forked repo & go to the create new merge request. In the target branch you will see the parent branch is selected & the commit message is being leaked.
- As User A add a new commit message to the parent branch.
- As User B refresh the page opened in step 5 & you will see the latest commit added by User A in step 6.
POC
Attaching a video as POC for easier reproduction of the issue
commit_leak.mp4
Impact
An attacker would be able to snoop into commit messages on the default branch even after being demoted to guest user. These commit messages or descriptions may include confidential information to the repo like unreleased features/ vulnerability information, etc
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: