Private email address of service desk issue creator disclosed via /api/v4/projects/{project_id}/issues?iids[]={issue_id}
HackerOne report #1933829 by ricardobrito
on 2023-04-04, assigned to GitLab Team
:
Report | Attachments | How To Reproduce
Report
Background
Service Desk allows non members of a project to create issues on a project by sending an email address to the service desk email assigned to a particular project.
Recently in Gitlab 15.9, the following was introduced:
Redact Service Desk email addresses in issues: GitLab Service Desk makes it easy to interact with customers and provide support. To ensure that customer email addresses are kept private, you now need to have at least the Reporter role in a project or group to see the sender address of a Service Desk issue. This applies to both public and private projects.
The documentation says that only signed-in users with at least reporter role for the project are allowed to view the email of the creator of the service desk issue.
Summary
I have found that a user with guest
role on a project, is capable of leaking the redacted email address of the sender (creator of the issue), through the following api endpoint: http://your-instance.com/api/v4/projects/:id/issues
The user email is leaked in the field service_desk_reply_to
.
Pre-requisites
In order to test this functionality, you need to set up service desk for your instance, such that your projects can have a service desk email. The instructions to set this up can be found in the Gitlab documentation
Steps to reproduce
- As user A, create a project, and inside the project go to settings->general->service desk and enable it for this project.
- Still inside step 1, take note of the email which users will use to create confidential issues on your project, e.g. in my poc the email is
gitlabhackerone+admin-group-admin-project-31-issue-[@]gmail.com
. - Invide a guest user, say user B to your project with the
guest
role. - Now send an email to
gitlabhackerone+admin-group-admin-project-31-issue-[@]gmail.com
. - If you reload the issues of the projects, you will see that a new issue was created with the title set as the subject of the email sent in step 5 and the description set with the body of the email from step 5.
- This issue is confidential by default. Change it to public (according to the documentation, even public issues CANNOT have the sender's email leaked).
- Access the issue as user B, you will be able to see the issue, however the email will be redacted:
8. So far so good, but now as the guest user, generate an api access token and make the following request (I use postman), but the curl command would be:
curl -sk -H "PRIVATE-TOKEN: YOUR-TOKEN" http://127.0.0.1:3000/api/v4/projects/:ID/issues
In which YOUR-TOKEN
would be the guest user's token and ID
would be the project id and the result will contain the email of the user who sent the email that automatically created the issue leaked in the service_desk_reply_to
field.
POC video:
Instance details
This bug happens on your-gitlab-instance, and it was tested on the latest Gitlab version.
Impact
A guest user can leak the email address of the creator of a confidential service desk issue .
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: