Skip to content

Release Description visible in public projects despite release set as project members only through atom response

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2079374 by ashish_r_padelkar on 2023-07-21, assigned to GitLab Team:

Report | How To Reproduce

Report

Summary

Hello,

I reported similar issue here #1824226 which is fixed few months back and i see similar issue exists at different endpoint too.

Releases can be restricted for Only Project Members in project settings. This should ensure that no release information is visible outside team members.
However, anyone can see release Description in public projects through tags endpoint /-/tags?format=atom at https://gitlab.com/<Namespace>/<projectName>/-/tags?format=atom even when releases are set as project members only.

Steps to reproduce

1.As a project owner, set your project as public with Releases as Only Project Members at https://gitlab.com/<NameSpace>/<ProjectName>/edit#js-general-project-settings.

2.Now create a Release at https://gitlab.com/<NameSpace>/<ProjectName>/-/releases. Put something important within Description field for eg THIS_IS_IMPORTANT_RELEASE_DESCRIPTION.

3.Access the https://gitlab.com/<NameSpace>/<ProjectName>/-/releases without authentication but you will get 404 as Release is only visible for Team members.

4.Now visit https://gitlab.com/<NameSpace>/<ProjectName>/-/tags but you will see Tags but no release information here too.

5.Now append ?format=atom to the end of above URL. For eg https://gitlab.com/<NameSpace>/<ProjectName>/-/tags?format=atom. In response, you should see Release Description THIS_IS_IMPORTANT_RELEASE_DESCRIPTION which you shouldnt!.

Examples

You can visit my test project at https://gitlab.com/groupjulypremium2023/project_july2023/-/tags. You will see tags but no release information.

Now visit https://gitlab.com/groupjulypremium2023/project_july2023/-/tags?format=atom and you should find Release_1234 in response which is description of one of my release which you shouldnt see.

What is the current bug behavior?

Release Description are disclosed in tag atom response endpoint despite release set as project members only.

What is the expected correct behavior?

Release Description should not be visible for unauthenticated users when they are set as only project members

Output of checks

This bug happens on GitLab.com GitLab Enterprise Edition 16.3.0-pre f7d52011546

Regards,
Ashish

Impact

Release Description visible in public projects despite release set as project members only

How To Reproduce

Please add reproducibility information to this section: