Skip to content
GitLab
Next
Closed
Issue created by GitLab SecurityBot@gitlab-securitybotReporter

Last commit message, description & sha1 hash of a private repo in a private group is leaked to guest users through merge request

HackerOne report #1465994 by albatraoz on 2022-01-31, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

Commit related details like commit message, description, sha1, etc are leaked to demoted guest users who should not have access to the repository of a private project according to the permission model. This information is leaked through a fork of the project created by the user(reporter/developer) before being demoted to guest. Once being demoted to guest, the user is able to sneak all the latest commits to the parent branch.

Steps to reproduce
  1. Create a private project in a group as user A.
  2. Add User B as a reporter to this project.
  3. As User B create a fork of the project on you personal namespace.
  4. As User A demote User B to guest from the group settings.
  5. As User B visit the forked repo & go to the create new merge request. In the target branch you will see the parent branch is selected & the commit message is being leaked.
  6. As User A add a new commit message to the parent branch.
  7. As User B refresh the page opened in step 5 & you will see the latest commit added by User A in step 6.
POC

Attaching a video as POC for easier reproduction of the issue
commit_leak.mp4

Impact

An attacker would be able to snoop into commit messages on the default branch even after being demoted to guest user. These commit messages or descriptions may include confidential information to the repo like unreleased features/ vulnerability information, etc

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: