Skip to content
GitLab
Next
Closed
Issue created by GitLab SecurityBot@gitlab-securitybotReporter

Non project members can view public projects Deploy Keys

HackerOne report #1600325 by jimeno on 2022-06-14, assigned to @nmalcolm:

Report | Attachments | How To Reproduce

Report

Summary

Non project member can view Deploy Keys of public projects while they shouldn't. REST API strictly forbids this behavior while the /-/autocomplete/* special endpoint allows it.

As you can see here in the official documentation, deploy keys can only be seen from Repository settings. An area to which non members do not have access.

Steps to reproduce
  1. Victim creates a public project with any dummy file
  2. Browse to settings -> repository -> deploy keys (not tokens, be careful!!)
  3. Create one with any contents, with write permissions
  4. As a different user who is NOT a project member, browse to the project page and copy the project identifier via the UI
  5. As this user, browse to https://gitlab.com/-/autocomplete/deploy_keys_with_owners?project_id=[project-id] and notice how the keys are shown to you.
Impact

Non project members can view project deploy keys.

Examples
  1. Sign in to your GitLab SaaS account.
  2. Browse to https://gitlab.com/-/autocomplete/deploy_keys_with_owners?project_id=37015326 and you'll see Deploy Keys of https://gitlab.com/jimen0/x (project ID is 37015326).
What is the current bug behavior?

Deploy keys autocomplete endpoint just checks if the user can view the repository, not if they have write access to it.

This doesn't happen through the REST API:

$ curl -H 'Content-Type:application/json' -H "PRIVATE-TOKEN: ${PAT_ATTACKER}" "https://gl.jimenolabs.net/api/v4/projects/160/deploy_keys" -s | jq .  
{
  "message": "403 Forbidden"  
}

Notice the difference in the code.

  • Autocomplete endpoint:

      def deploy_keys_with_owners  
    deploy_keys = DeployKey.with_write_access_for_project(project) # --> NOTICE HOW HERE THE KEYS ARE FETCHED WITHOUT TAKING INTO ACCOUNT THE CURRENT USER  
  
    render json: DeployKeys::BasicDeployKeySerializer.new.represent(  
      deploy_keys, { with_owner: true, user: current_user }  
    )  
  end

  • Rest API:

          get ":id/deploy_keys" do  
        keys = user_project.deploy_keys_projects.preload(deploy_key: :user)  
  
        present paginate(keys), with: Entities::DeployKeysProject  
      end
What is the expected correct behavior?

Autocomplete endpoint takes current_user into account when fetching the project keys.

Relevant logs and/or screenshots

N/A.

Output of checks

This bug happens on GitLab.com.

Results of GitLab environment info
root@gl:/# gitlab-rake gitlab:env:info

System information  
System:		  
Proxy:		no  
Current User:	git  
Using RVM:	no  
Ruby Version:	2.7.5p203  
Gem Version:	3.1.4  
Bundler Version:2.2.33  
Rake Version:	13.0.6  
Redis Version:	6.2.6  
Sidekiq Version:6.4.0  
Go Version:	unknown

GitLab information  
Version:	15.0.1-ee  
Revision:	d69f38d4a95  
Directory:	/opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:	PostgreSQL  
DB Version:	12.10  
URL:		https://gl.jimenolabs.net  
HTTP Clone URL:	https://gl.jimenolabs.net/some-group/some-project.git  
SSH Clone URL:	git@gl.jimenolabs.net:some-group/some-project.git  
Elasticsearch:	no  
Geo:		no  
Using LDAP:	no  
Using Omniauth:	yes  
Omniauth Providers: auth0

GitLab Shell  
Version:	14.3.0  
Repository storage paths:  
- default: 	/var/opt/gitlab/git-data/repositories  
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell

Impact

Non project members can view project deploy keys.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section:

Edited by Nick Malcolm