Guests can disclose project templates using the REST API
HackerOne report #2501461 by js_noob on 2024-05-11, assigned to @ottilia_westerlund:
Report | Attachments | How To Reproduce
Report
Summary
Hello team, project members can create templates in that project for easier accessibility, these templates are just code saved in "special" file paths in the project, i.e. they are part of the source code of a project. On the other hand, guests aren't allowed to read the code of a private project, so they shouldn't be able to access project templates. However, this is false, as guests can disclose all project templates using the REST API.
I understand that guests might still need access to issues templates, as guests are allowed to create issues, but they shouldn't have access to other types of templates, for example, merge request templates.
Steps to reproduce
As an owner:
- Create a new group and apply the ultimate trial to it
- Create a new private project in that group
- Create a new file having the path
.gitlab/merge_request_templates/mytemplate.md, and any content in that file - Invite a guest to the group
As the guest:
- Verify that you can't access the templates/code
- Send the following API calls:
curl --header "PRIVATE-TOKEN: PAT" "https://gitlab.com/api/v4/projects/PROJECT_ID/templates/merge_requests"
curl --header "PRIVATE-TOKEN: PAT" "https://gitlab.com/api/v4/projects/PROJECT_ID/templates/merge_requests/TEMPLATE_NAME" - Verify the disclosure of the content of the template
What is the current bug behavior?
Guests can access project templates through REST API.
What is the expected correct behavior?
Guests shouldn't be able to access project templates through REST API.
Output of checks
This bug happens on GitLab.com
Impact
Disclosure of project template to unauthorized users (guests).
How To Reproduce
Please add reproducibility information to this section: