Image attached to tag in private project is publicly visible

Summary

Image attached to tag created in private project is visible publicly, everyone who has a link can access it.

Steps to reproduce

  1. Create new private project
  2. Initialize it with at least one comit
  3. Go to Repository -> Tags
  4. Click New tag
  5. Add tag name
  6. Click Attach a file and attach JPEG type image
  7. Click Create tag
  8. Copy the link, which gitlab have prepared for your image you attached to tag
  9. Sign out from gitlab
  10. Go to link you copied before

Example Project

I created private project https://gitlab.com/piotr.bladek/my-very-private-project, and tag with two attachments within it:

  • first attachment is JPEG file, which you can access, even you are not invited as my project contributor: https://gitlab.com/piotr.bladek/my-very-private-project/uploads/cf3a81aa85eb4e6882a0b9ee5928117d/tumblr_omd7h45Ums1w73ry4o1_400.jpg
  • second attachemnt is TXT file, which works as expected, so you cant access it if you are not invited to my project: https://gitlab.com/piotr.bladek/my-very-private-project/uploads/4afcae55d916a5d1656a676242ce8205/doggo.txt

What is the current bug behavior?

You can access private project tag's image by link, even you do not have access to private project repository as a contributor.

What is the expected correct behavior?

Gitlab application should respond with HTTP 302, and redirect you to sign_in page.

Relevant logs and/or screenshots

CURL headers output:

  • JPEG file
$ curl -I https://gitlab.com/piotr.bladek/my-very-private-project/uploads/cf3a81aa85eb4e6882a0b9ee5928117d/tumblr_omd7h45Ums1w73ry4o1_400.jpg
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0 32488    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0HTTP/1.1 200 OK
Server: nginx
Date: Tue, 12 Nov 2019 14:12:54 GMT
Content-Type: image/jpeg
Content-Length: 32488
Accept-Ranges: bytes
Cache-Control: max-age=0, private, must-revalidate
Content-Disposition: inline; filename="tumblr_omd7h45Ums1w73ry4o1_400.jpg"; filename*=UTF-8''tumblr_omd7h45Ums1w73ry4o1_400.jpg
Content-Security-Policy: connect-src 'self' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net wss://gitlab.com https://sentry.gitlab.net https://customem/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-clsrc 'self' 'unsafe-inline' 'unsafe-eval' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net https://www.google.com/recaptcha/ https://www.recaptcha.net/  'unsafe-inline' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net; worker-src https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net htt
Etag: "9a649efa183afdcd377ea1513a561bef"
Last-Modified: Tue, 12 Nov 2019 12:26:00 GMT
Pragma:
Referrer-Policy: strict-origin-when-cross-origin
Set-Cookie: experimentation_subject_id=IjM3MGQ0NDlmLWY0YzItNGM1OC04ZDgxLTRkNzlmNzE4MmU4NSI%3D--e93f65ee21b7634e74a72d6124254ac29006105d; domain=.gitlab.com; path=/; expires
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: DENY
X-Goog-Generation: 1573561560805189
X-Goog-Hash: crc32c=xzwrWQ==
X-Goog-Hash: md5=mmSe+hg6/c03fqFROlYb7w==
X-Goog-Metageneration: 1
X-Goog-Storage-Class: MULTI_REGIONAL
X-Goog-Stored-Content-Encoding: identity
X-Goog-Stored-Content-Length: 32488
X-Guploader-Uploadid: AEnB2Uq8Fz4kJ-Uw5Vcmi8Iqzc1ulHsYYLhwDQJC_zqDMfOwxrHqb8p0MTLFsLdf2z97eko9CjH9WE-diq4fhpx3q9dGh83bgEBdPdDAwf-wWKA7dEyIm8A
X-Permitted-Cross-Domain-Policies: none
X-Request-Id: IYehkbGj3s1
X-Runtime: 0.057267
X-Ua-Compatible: IE=edge
X-Xss-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000
Referrer-Policy: strict-origin-when-cross-origin
GitLab-LB: fe-19-lb-gprd
GitLab-SV: web-29-sv-gprd
  • TXT file
$ curl -I https://gitlab.com/piotr.bladek/my-very-private-project/uploads/4afcae55d916a5d1656a676242ce8205/doggo.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0HTTP/1.1 302 Found
Server: nginx
Date: Tue, 12 Nov 2019 14:12:51 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Content-Security-Policy: connect-src 'self' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net wss://gitlab.com https://sentry.gitlab.net https://customem/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-clsrc 'self' 'unsafe-inline' 'unsafe-eval' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net https://www.google.com/recaptcha/ https://www.recaptcha.net/  'unsafe-inline' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net; worker-src https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net htt
Location: https://gitlab.com/users/sign_in
Referrer-Policy: strict-origin-when-cross-origin
Set-Cookie: experimentation_subject_id=IjExYzU1MDM1LTkyOWEtNDc1Ny05YWVlLWJiMDUzMWQ1YThiOCI%3D--df1f2f9ef41140e05bd58c73d03dc7188d44de98; domain=.gitlab.com; path=/; expires
Set-Cookie: _gitlab_session=f243e519c66848f1e3159c8ce7bbad82; path=/; secure; HttpOnly
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: DENY
X-Permitted-Cross-Domain-Policies: none
X-Request-Id: uajbWOPaYT7
X-Runtime: 0.058128
X-Ua-Compatible: IE=edge
X-Xss-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000
Referrer-Policy: strict-origin-when-cross-origin
GitLab-LB: fe-21-lb-gprd
GitLab-SV: web-27-sv-gprd

JPEG image accessible from browser while Im signed out: image

Output of checks

This bug happens on GitLab.com