Private project guests can leak source code using a fork
HackerOne report #1837937 by shells3c
on 2023-01-18, assigned to @fvpotvin:
Report
Summary
Guests are not allowed to read the repository of private project, however, if they can have access to any fork of that project, they can read new code changes compared to the fork.
The exploit uses "Compare Git revisions" feature, even though the security checks are performed pretty well in the UI, the API lacks a bit.
Steps to reproduce
- As user A, create a private project, create file
dummy.txt
with the content:original content
- Invite user B to the private project as Reporter
- As user B, fork the private project
- Now user A downgrades user B permission to Guest, which means user B can't read the repository anymore
- User A edits
dummy.txt
content toedited content
- User B visits the following URL to see the recent change from user A:
https://gitlab.com/api/v4/projects/<FORK ID>/repository/compare?from=main&to=main&straight=true&from_project_id=<PROJECT ID>
Note: It's not necessary that the fork must be yours, it can be anyone's fork as long as you have read_code
access. For example, the private project was formally a public project and someone forked it, or a private fork changed the visibility to public, or you request access to a private fork, a lot of scenarios can happen
Output of checks
This bug happens on GitLab.com
Impact
Guests can read the repository of the private project through a fork
How To Reproduce
Please add reproducibility information to this section: