Release Description visible in public projects despite release set as project members only
HackerOne report #1824226 by ashish_r_padelkar on 2023-01-05, assigned to @fvpotvin:
Report | Attachments | How To Reproduce
Report
Summary
Hello,
This is similar to #1725841 which is fixed but there is a TAG api which leaks the release description.
Release can be restricted for Only Project Members in project settings. This should ensure that no release information is visible outside team members.
However, anyone can see release Description in public projects through tags API at https://gitlab.com/api/v4/projects/<ID>/repository/tags even when releases are set as project members only.
Steps to reproduce
- As a project owner, set your project as public with
ReleasesasOnly Project Membersathttps://gitlab.com/<NameSpace>/<ProjectName>/edit#js-general-project-settings.
2.Now create a Release at https://gitlab.com/<NameSpace>/<ProjectName>/-/releases. Put something important within Description field .
3.Access the https://gitlab.com/<NameSpace>/<ProjectName>/-/releases without authentication but you will get 404 as Release is only visible for Team members.
4.Now visit TAGs API unauthenticated https://gitlab.com/api/v4/projects/<ID>/repository/tags and you should see Release array in response with Description field leaking from releases which may contain important information which shouldn't be visible to unauthenticated users (or guest users).
Examples
You can visit my test project tags https://gitlab.com/api/v4/projects/40882501/repository/tags. search for Release array in response and you should find Description field which you can read.
What is the current bug behavior?
Release Description are disclosed in tag API despite release set as project members only.
What is the expected correct behavior?
Release Description should not be visible for unauthenticated users when they are set as only project members
Output of checks
This bug happens on GitLab.com GitLab Enterprise Edition 15.8.0-pre be1706d789a
Regards,
Ashish
Impact
Release Description visible in public projects despite release set as project members only
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section:
Implementation plan
Check :read_release permission in Tags API before showing Releases with Tags. Also applies to get ':id/repository/tags/:tag_name' endpoint.
diff --git a/lib/api/entities/tag.rb b/lib/api/entities/tag.rb
index 713bae64d5c3..e249fd189fc5 100644
--- a/lib/api/entities/tag.rb
+++ b/lib/api/entities/tag.rb
@@ -12,7 +12,7 @@ class Tag < Grape::Entity
end
# rubocop: disable CodeReuse/ActiveRecord
- expose :release, using: Entities::TagRelease do |repo_tag, options|
+ expose :release, using: Entities::TagRelease, if: -> (*) { options[:show_releases] } do |repo_tag, options|
options[:project].releases.find_by(tag: repo_tag.name)
end
# rubocop: enable CodeReuse/ActiveRecord
diff --git a/lib/api/tags.rb b/lib/api/tags.rb
index 4ddf22c726fa..081c41452517 100644
--- a/lib/api/tags.rb
+++ b/lib/api/tags.rb
@@ -45,7 +45,13 @@ class Tags < ::API::Base
paginated_tags = Gitlab::Pagination::GitalyKeysetPager.new(self, user_project).paginate(tags_finder)
- present_cached paginated_tags, with: Entities::Tag, project: user_project, cache_context: -> (_tag) { user_project.cache_key }
+ show_releases = can?(current_user, :read_release, user_project)
+
+ present_cached paginated_tags,
+ with: Entities::Tag,
+ project: user_project,
+ cache_context: -> (_tag) { [user_project.cache_key, show_releases].join(':') },
+ show_releases: show_releases
rescue Gitlab::Git::InvalidPageToken => e
unprocessable_entity!(e.message)