Skip to content

Private project guests can leak source code using a fork

HackerOne report #1837937 by shells3c on 2023-01-18, assigned to @fvpotvin:

Report | How To Reproduce

Report

Summary

Guests are not allowed to read the repository of private project, however, if they can have access to any fork of that project, they can read new code changes compared to the fork.

The exploit uses "Compare Git revisions" feature, even though the security checks are performed pretty well in the UI, the API lacks a bit.

Steps to reproduce
  1. As user A, create a private project, create file dummy.txt with the content: original content
  2. Invite user B to the private project as Reporter
  3. As user B, fork the private project
  4. Now user A downgrades user B permission to Guest, which means user B can't read the repository anymore
  5. User A edits dummy.txt content to edited content
  6. User B visits the following URL to see the recent change from user A: https://gitlab.com/api/v4/projects/<FORK ID>/repository/compare?from=main&to=main&straight=true&from_project_id=<PROJECT ID>

Note: It's not necessary that the fork must be yours, it can be anyone's fork as long as you have read_code access. For example, the private project was formally a public project and someone forked it, or a private fork changed the visibility to public, or you request access to a private fork, a lot of scenarios can happen

Output of checks

This bug happens on GitLab.com

Impact

Guests can read the repository of the private project through a fork

How To Reproduce

Please add reproducibility information to this section: