Transferring a public group to a private group doesn't remove code from the Elastichsearch API search result
HackerOne report #748375 by rpadovani
on 2019-11-29, assigned to @jeremymatos:
Summary
When a public group with public projects is transferred to a private group, the code and the wiki of the public project, although now should be private, it is still reachable through search APIs.
I set the severity as "medium" and not "high", because any new action over the project issues a re indexing (or some actions, not sure), so if the transfer is for "archiving" purposes it is a problem, but if after the transfer other activities happen, then it is not a problem, cause the project will be removed from the index.
Steps to reproduce
Alice creates the public group "Example", and a public project named "Example-project" inside the group. In the readme of the project, Alice writes "Example".
Now, Alice creates a private group called "private", and transfer all the "Example" group to the "private" group.
If Bob (totally unrelated to Alice), search for "Example" instance-wide, will not find anything on the interface, but the count of the results will be "1" (see screenshot).
If he uses the APIs (e.g. http://localhost/api/v4/search?search=password&scope=blobs), he will receive the results back with the information that should be private.
This happens also with wiki_blobs.
This doesn't happen transferring single projects, but only transferring entire groups
Output of checks
Results of GitLab environment info
System information
System:
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.6.3p62
Gem Version: 2.7.9
Bundler Version:1.17.3
Rake Version: 12.3.3
Redis Version: 3.2.12
Git Version: 2.22.0
Sidekiq Version:5.2.7
Go Version: unknown
GitLab information
Version: 12.5.2-ee
Revision: c1b3929bc67
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 10.9
URL: http://aldebaran
HTTP Clone URL: http://aldebaran/some-group/some-project.git
SSH Clone URL: git@aldebaran:some-group/some-project.git
Elasticsearch: yes
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 10.2.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Impact
Alice thinks her code is now private, but it is not, unless she continues working on the project
Dev Issue
https://dev.gitlab.org/gitlab/gitlab-ee/issues/402