Skip to content

Arbitrary access to the titles of an private Gitlab-specific references

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2209702 by yvvdwf on 2023-10-15, assigned to @ottilia_westerlund:

Report | Attachments | How To Reproduce

Report

Hello,

Gitlab recently introduced the ability to include issue's description in thank_you.md in the service desk:

  def substitute_template_replacements(template_body)  
      template_body  
...  
        .gsub(/%\{\s*ISSUE_DESCRIPTION\s*\}/, issue_description)  
...  
    end  
...  
    def issue_description  
      [@]issue.description_html.to_s  
    end

As we can see in the code above, [@]issue.description_html is accessed directly without any redaction. Consequently, it allows to render arbitrary Gitlab Flavored Markdown references of arbitrary project.

Reproduce

  1. As victim, create a new private project, victim/private-project. Then create a private issue. We will show the ability to access to this private issue.

  2. As attacker:

  • create a new project, attacker/project-a then add this file, .gitlab/service_desk_templates/thank_you.md to the project within the following content (note: it's important the back-tick characters):
  `%{ISSUE_DESCRIPTION}`

thank_you.png

  • goto Settings/General/Service Desk, then copy the email in Email address to use for Service Desk textbox which should be something like this: contact-project+attacker-project-a-1234567-issue-[@]incoming.gitlab.com

  • use any email client, send the following email to the email address above

    • subject: any subject as you want
    • body: victim/private-project#1

  • wait for few seconds, you should receive a reply from gitlab which contains the title of the private issue.

Impact

The vulnerability allows attacker to access the titles of any private Gitlab-specific references, such as, private issues, merge requests, snippets, epics, vulnerabilities, labels, etc.

Output of checks

This bug happens on GitLab.com

Impact

The vulnerability allows attacker to access the titles of any private Gitlab-specific references, such as, private issues, merge requests, snippets, epics, vulnerabilities, labels, etc.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: