:warning: **Please read [the process](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/security/developer.md) on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.** **[HackerOne report #2480126](https://hackerone.com/reports/2480126)** by `js_noob` on 2024-04-26, assigned to `GitLab Team`: [Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce) ## Report ##### Summary Hello team, according to the [docs](https://docs.gitlab.com/ee/user/group/custom_project_templates.html#set-up-group-level-project-templates), only group members are allowed to use its templates to create projects in other groups. On the other hand, as known, guest users can't access the source code in private projects, you can verify this by searching for "View project code" [here](https://docs.gitlab.com/ee/user/permissions.html#project-members-permissions). However, a guest user can abuse the custom group-level templates and disclose the full source code of private projects associated with that template group. In the below example, we have: * A parent group: * projects sub-group (no role for the attacker at the group level): * private project - where the attacker has a guest role * templates sub-group (attacker has developer role in this sub-group): The result is, that the attacker will create a project in the `projects` subgroup, using that project template that he can't read its source code, disclosing all of its code. ##### Steps to reproduce **As an owner:** 1. Create a group and apply the ultimate trial to it 2. Create 2 subgroups in that group let's call them, `projects` and `templates` 3. Navigate to https://gitlab.com/groups/MAIN_GROUP/-/edit and under "Custom project templates", select the `templates` subgroup 4. Create a project in the `templates` subgroup 5. Invite USER_2 as a guest to that created project and as a developer to the `projects` group **As User 2:** 6. Verify that you can't access the source code of the project created in the `templates` subgroup 7. Verify that you can't create projects from the group templates in the `projects` template  8. Navigate to the `projects` subgroup, and start creating a new project process 9. Upon submitting intercept the request, and add the following to the body of the fired request, but make sure to replace IDs `&project%5Btemplate_project_id%5D=PROJECT_IN_TEMPLATES_ID&project%5Buse_custom_template%5D=true&project%5Bgroup_with_project_templates_id%5D=TEMPLATES_SUBGROUP_ID` 10. Verify that a new project is created from the template, disclosing all of the source code ##### Examples  ##### What is the current *bug* behavior? There are 2 issues here: * Non-group members can use templates from that group and create them in other groups. * Guests can create projects from templates they don't have "full-read" access to. ##### What is the expected *correct* behavior? * Non-group members shouldn't be able to use templates from that group and create them in other groups, even if they are project members. * Guests shouldn't be able to create projects from templates they don't have "full-read" access to. ##### Output of checks This bug happens on GitLab.com #### Impact Guests can disclose the full source code of private projects. ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [Screenshot_2024-04-26_at_6.41.03_PM.png](https://h1.sec.gitlab.net/a/46db69f3-dcbd-41de-9598-ef72e13bdeb7/Screenshot_2024-04-26_at_6.41.03_PM.png) * [Screen_Recording_2024-04-26_at_6.42.57_PM.mov](https://h1.sec.gitlab.net/a/1acd3dc1-e6a7-4078-bb30-018124046649/Screen_Recording_2024-04-26_at_6.42.57_PM.mov) ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues