Skip to content

Guests can disclose the full source code of projects using custom group-level templates

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2480126 by js_noob on 2024-04-26, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

Hello team, according to the docs, only group members are allowed to use its templates to create projects in other groups. On the other hand, as known, guest users can't access the source code in private projects, you can verify this by searching for "View project code" here. However, a guest user can abuse the custom group-level templates and disclose the full source code of private projects associated with that template group.

In the below example, we have:

  • A parent group:
    • projects sub-group (no role for the attacker at the group level):
      • private project - where the attacker has a guest role
    • templates sub-group (attacker has developer role in this sub-group):

The result is, that the attacker will create a project in the projects subgroup, using that project template that he can't read its source code, disclosing all of its code.

Steps to reproduce

As an owner:

  1. Create a group and apply the ultimate trial to it
  2. Create 2 subgroups in that group let's call them, projects and templates
  3. Navigate to https://gitlab.com/groups/MAIN_GROUP/-/edit and under "Custom project templates", select the templates subgroup
  4. Create a project in the templates subgroup
  5. Invite USER_2 as a guest to that created project and as a developer to the projects group

As User 2:

  1. Verify that you can't access the source code of the project created in the templates subgroup
  2. Verify that you can't create projects from the group templates in the projects template

Screenshot_2024-04-26_at_6.41.03_PM.png

  1. Navigate to the projects subgroup, and start creating a new project process
  2. Upon submitting intercept the request, and add the following to the body of the fired request, but make sure to replace IDs
    &project%5Btemplate_project_id%5D=PROJECT_IN_TEMPLATES_ID&project%5Buse_custom_template%5D=true&project%5Bgroup_with_project_templates_id%5D=TEMPLATES_SUBGROUP_ID
  3. Verify that a new project is created from the template, disclosing all of the source code
Examples

Screen_Recording_2024-04-26_at_6.42.57_PM.mov

What is the current bug behavior?

There are 2 issues here:

  • Non-group members can use templates from that group and create them in other groups.
  • Guests can create projects from templates they don't have "full-read" access to.
What is the expected correct behavior?
  • Non-group members shouldn't be able to use templates from that group and create them in other groups, even if they are project members.
  • Guests shouldn't be able to create projects from templates they don't have "full-read" access to.
Output of checks

This bug happens on GitLab.com

Impact

Guests can disclose the full source code of private projects.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: