Non project members can view public projects Deploy Keys
HackerOne report #1600325 by jimeno
on 2022-06-14, assigned to @nmalcolm:
Report | Attachments | How To Reproduce
Report
Summary
Non project member can view Deploy Keys of public projects while they shouldn't. REST API strictly forbids this behavior while the /-/autocomplete/*
special endpoint allows it.
As you can see here in the official documentation, deploy keys can only be seen from Repository settings. An area to which non members do not have access.
Steps to reproduce
- Victim creates a public project with any dummy file
- Browse to settings -> repository -> deploy keys (not tokens, be careful!!)
- Create one with any contents, with write permissions
- As a different user who is NOT a project member, browse to the project page and copy the project identifier via the UI
- As this user, browse to
https://gitlab.com/-/autocomplete/deploy_keys_with_owners?project_id=[project-id]
and notice how the keys are shown to you.
Impact
Non project members can view project deploy keys.
Examples
- Sign in to your GitLab SaaS account.
- Browse to
https://gitlab.com/-/autocomplete/deploy_keys_with_owners?project_id=37015326
and you'll see Deploy Keys ofhttps://gitlab.com/jimen0/x
(project ID is37015326
).
What is the current bug behavior?
Deploy keys autocomplete endpoint just checks if the user can view the repository, not if they have write access to it.
This doesn't happen through the REST API:
$ curl -H 'Content-Type:application/json' -H "PRIVATE-TOKEN: ${PAT_ATTACKER}" "https://gl.jimenolabs.net/api/v4/projects/160/deploy_keys" -s | jq .
{
"message": "403 Forbidden"
}
Notice the difference in the code.
-
Autocomplete endpoint:
def deploy_keys_with_owners deploy_keys = DeployKey.with_write_access_for_project(project) # --> NOTICE HOW HERE THE KEYS ARE FETCHED WITHOUT TAKING INTO ACCOUNT THE CURRENT USER render json: DeployKeys::BasicDeployKeySerializer.new.represent( deploy_keys, { with_owner: true, user: current_user } ) end
-
get ":id/deploy_keys" do keys = user_project.deploy_keys_projects.preload(deploy_key: :user) present paginate(keys), with: Entities::DeployKeysProject end
What is the expected correct behavior?
Autocomplete endpoint takes current_user
into account when fetching the project keys.
Relevant logs and/or screenshots
N/A.
Output of checks
This bug happens on GitLab.com.
Results of GitLab environment info
root@gl:/# gitlab-rake gitlab:env:info
System information
System:
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.7.5p203
Gem Version: 3.1.4
Bundler Version:2.2.33
Rake Version: 13.0.6
Redis Version: 6.2.6
Sidekiq Version:6.4.0
Go Version: unknown
GitLab information
Version: 15.0.1-ee
Revision: d69f38d4a95
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 12.10
URL: https://gl.jimenolabs.net
HTTP Clone URL: https://gl.jimenolabs.net/some-group/some-project.git
SSH Clone URL: git@gl.jimenolabs.net:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers: auth0
GitLab Shell
Version: 14.3.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Impact
Non project members can view project deploy keys.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: