Skip to content

Release Description visible in public projects despite release set as project members only

HackerOne report #1824226 by ashish_r_padelkar on 2023-01-05, assigned to @fvpotvin:

Report | Attachments | How To Reproduce

Report

Summary

Hello,

This is similar to #1725841 which is fixed but there is a TAG api which leaks the release description.

Release can be restricted for Only Project Members in project settings. This should ensure that no release information is visible outside team members.

However, anyone can see release Description in public projects through tags API at https://gitlab.com/api/v4/projects/<ID>/repository/tags even when releases are set as project members only.

Steps to reproduce
  1. As a project owner, set your project as public with Releases as Only Project Members at https://gitlab.com/<NameSpace>/<ProjectName>/edit#js-general-project-settings.

Screen_Shot_2023-01-06_at_12.48.34_AM.png

2.Now create a Release at https://gitlab.com/<NameSpace>/<ProjectName>/-/releases. Put something important within Description field .

3.Access the https://gitlab.com/<NameSpace>/<ProjectName>/-/releases without authentication but you will get 404 as Release is only visible for Team members.

4.Now visit TAGs API unauthenticated https://gitlab.com/api/v4/projects/<ID>/repository/tags and you should see Release array in response with Description field leaking from releases which may contain important information which shouldn't be visible to unauthenticated users (or guest users).

Examples

You can visit my test project tags https://gitlab.com/api/v4/projects/40882501/repository/tags. search for Release array in response and you should find Description field which you can read.

What is the current bug behavior?

Release Description are disclosed in tag API despite release set as project members only.

What is the expected correct behavior?

Release Description should not be visible for unauthenticated users when they are set as only project members

Output of checks

This bug happens on GitLab.com GitLab Enterprise Edition 15.8.0-pre be1706d789a

Regards,
Ashish

Impact

Release Description visible in public projects despite release set as project members only

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section:

Implementation plan

Check :read_release permission in Tags API before showing Releases with Tags. Also applies to get ':id/repository/tags/:tag_name' endpoint.

diff --git a/lib/api/entities/tag.rb b/lib/api/entities/tag.rb
index 713bae64d5c3..e249fd189fc5 100644
--- a/lib/api/entities/tag.rb
+++ b/lib/api/entities/tag.rb
@@ -12,7 +12,7 @@ class Tag < Grape::Entity
       end
 
       # rubocop: disable CodeReuse/ActiveRecord
-      expose :release, using: Entities::TagRelease do |repo_tag, options|
+      expose :release, using: Entities::TagRelease, if: -> (*) { options[:show_releases] } do |repo_tag, options|
         options[:project].releases.find_by(tag: repo_tag.name)
       end
       # rubocop: enable CodeReuse/ActiveRecord
diff --git a/lib/api/tags.rb b/lib/api/tags.rb
index 4ddf22c726fa..081c41452517 100644
--- a/lib/api/tags.rb
+++ b/lib/api/tags.rb
@@ -45,7 +45,13 @@ class Tags < ::API::Base
 
         paginated_tags = Gitlab::Pagination::GitalyKeysetPager.new(self, user_project).paginate(tags_finder)
 
-        present_cached paginated_tags, with: Entities::Tag, project: user_project, cache_context: -> (_tag) { user_project.cache_key }
+        show_releases = can?(current_user, :read_release, user_project)
+
+        present_cached paginated_tags,
+                       with: Entities::Tag,
+                       project: user_project,
+                       cache_context: -> (_tag) { [user_project.cache_key, show_releases].join(':') },
+                       show_releases: show_releases
 
       rescue Gitlab::Git::InvalidPageToken => e
         unprocessable_entity!(e.message)
Edited by Alishan Ladhani