Arbitrary access to the titles of an private Gitlab-specific references
HackerOne report #2209702 by yvvdwf
on 2023-10-15, assigned to @ottilia_westerlund:
Report | Attachments | How To Reproduce
Report
Hello,
Gitlab recently introduced the ability to include issue's description in thank_you.md
in the service desk:
def substitute_template_replacements(template_body)
template_body
...
.gsub(/%\{\s*ISSUE_DESCRIPTION\s*\}/, issue_description)
...
end
...
def issue_description
[@]issue.description_html.to_s
end
As we can see in the code above, [@]issue.description_html
is accessed directly without any redaction. Consequently, it allows to render arbitrary Gitlab Flavored Markdown references of arbitrary project.
Reproduce
-
As victim, create a new private project,
victim/private-project
. Then create a private issue. We will show the ability to access to this private issue. -
As attacker:
- create a new project,
attacker/project-a
then add this file,.gitlab/service_desk_templates/thank_you.md
to the project within the following content (note: it's important the back-tick characters):
`%{ISSUE_DESCRIPTION}`
-
goto
Settings/General/Service Desk
, then copy the email inEmail address to use for Service Desk
textbox which should be something like this:contact-project+attacker-project-a-1234567-issue-[@]incoming.gitlab.com
-
use any email client, send the following email to the email address above
- subject: any subject as you want
- body:
victim/private-project#1
-
wait for few seconds, you should receive a reply from gitlab which contains the title of the private issue.
Impact
The vulnerability allows attacker to access the titles of any private Gitlab-specific references, such as, private issues, merge requests, snippets, epics, vulnerabilities, labels, etc.
Output of checks
This bug happens on GitLab.com
Impact
The vulnerability allows attacker to access the titles of any private Gitlab-specific references, such as, private issues, merge requests, snippets, epics, vulnerabilities, labels, etc.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: