Unverified user is able to clone internal projects and the project wiki

HackerOne report #749738 by u3mur4 on 2019-12-02, assigned to @dcouture:

Summary

An attacker can create an account when the Whitelisted domains for sign-ups and the Send confirmation email on sign-up is set and cannot login because he doesn't owns the email address therefore cannot access the conformation email but the unverified user can clone internal repositories.

Steps to reproduce

ADMIN SETUP:

  • Sign in to a GitLab instance as an Admin user
  • Go to Admin Area => Settings => General => Sign-up restrictions
  • Enable the Send confirmation email on sign-up checkbox and set the Whitelisted domains for sign-ups text area to example.com
  • Click to Save Changes button
    restrictions.png

VICTIM SETUP:

  • Sign in to a GitLab instance as a Victim user
  • Create a new project and set the name to 'internal-project', set the visibility to internal and also check the Initialize repository with a README checkbox
    project.png

ATTACKER:

  • Go to the GitLab instance and register as an attacker

The attacker need to know/guess the whitelisted domain name.

  • Simply clone the internal repository (use the attacker credentials)
$ mkdir /tmp/test && cd /tmp/test  
$ git clone http://yoyo.pw:3000/victim/internal-project.git

The attacker need to know/guess the internal project path.

The attacker successfully accessed the full git repo.

Video version:
poc.mp4

What is the current bug behavior?

  • Unverified user is able to steal internal repositories and the project wiki.

Results of GitLab environment info

bundle exec rake gitlab:env:info RAILS_ENV=development  
System information  
System:		Ubuntu 16.04  
Proxy:		no  
Current User:	u3mur4  
Using RVM:	no  
Ruby Version:	2.6.3p62  
Gem Version:	3.0.3  
Bundler Version:1.17.3  
Rake Version:	12.3.3  
Redis Version:	3.0.6  
Git Version:	2.23.0  
Sidekiq Version:5.2.7  
Go Version:	go1.12.7 linux/amd64

GitLab information  
Version:	12.6.0-pre  
Revision:	cb759668e94  
Directory:	/home/u3mur4/gdk-foss/gitlab  
DB Adapter:	PostgreSQL  
DB Version:	11.5  
URL:		http://yoyo.pw:3000  
HTTP Clone URL:	http://yoyo.pw:3000/some-group/some-project.git  
SSH Clone URL:	ssh://u3mur4@localhost:2222/some-group/some-project.git  
Elasticsearch:	no  
Geo:		no  
Using LDAP:	no  
Using Omniauth:	yes  
Omniauth Providers:

GitLab Shell  
Version:	10.2.0  
Repository storage paths:  
- default: 	/  
GitLab Shell path:		/home/u3mur4/gdk-foss/gitlab-shell  
Git:		/usr/bin/git

Impact

Unverified user is able to steal internal repositories and the project wiki.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!