Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #389191
Closed
Open
Issue created Jan 24, 2023 by GitLab SecurityBot@gitlab-securitybotReporter

Private project guests can leak source code using a fork

HackerOne report #1837937 by shells3c on 2023-01-18, assigned to @fvpotvin:

Report | How To Reproduce

Report

Summary

Guests are not allowed to read the repository of private project, however, if they can have access to any fork of that project, they can read new code changes compared to the fork.

The exploit uses "Compare Git revisions" feature, even though the security checks are performed pretty well in the UI, the API lacks a bit.

Steps to reproduce
  1. As user A, create a private project, create file dummy.txt with the content: original content
  2. Invite user B to the private project as Reporter
  3. As user B, fork the private project
  4. Now user A downgrades user B permission to Guest, which means user B can't read the repository anymore
  5. User A edits dummy.txt content to edited content
  6. User B visits the following URL to see the recent change from user A: https://gitlab.com/api/v4/projects/<FORK ID>/repository/compare?from=main&to=main&straight=true&from_project_id=<PROJECT ID>

Note: It's not necessary that the fork must be yours, it can be anyone's fork as long as you have read_code access. For example, the private project was formally a public project and someone forked it, or a private fork changed the visibility to public, or you request access to a private fork, a lot of scenarios can happen

Output of checks

This bug happens on GitLab.com

Impact

Guests can read the repository of the private project through a fork

How To Reproduce

Please add reproducibility information to this section:

Assignee
Assign to
Time tracking