Commit information visible through release atom endpoint for guest users

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2573397 by ashish_r_padelkar on 2024-06-24, assigned to @kmorrison1:

Report | Attachments | How To Reproduce

Report

Summary

Hello,

As per this documentation, https://docs.gitlab.com/ee/user/permissions.html, Guest users can access GitLab Releases for downloading assets but are not allowed to download the source code nor see repository information like commits and release evidence.

However, through release atom endpoint, guest user can see the commit of the release.

Steps to reproduce

1.Create a group.
2.Create private project underneath.
3.Now create a release within the project.
4.The release will show information like below including commit information.

5.Now add a guest user at group level https://gitlab.com/groups/<groupName>/-/group_members.
6.Login as guest user and navigate to releases at https://gitlab.com/<groupName>/<ProjectName>/-/releases.
7.You see the release but you dont see repository information like commits and release evidence as expected and working as intended as per documentation.

8.Now click on RSS feed button and it will open an URL like https://gitlab.com/<groupName>/<ProjectName>/-/releases.atom?feed_token=glft-<>Token-3148078.

9.In response, look for <summary> tag which contains the commit information which they shouldn't see as per documentation.

What is the current bug behavior?

Guest users are able to view commit information which they shouldnt.

What is the expected correct behavior?

Commit information should be redacted from release atom endpoint for guest users.

Output of checks

This bug happens on GitLab.com GitLab Enterprise Edition 17.2.0-pre 59d98c8baff

Regards,
Ashish

Impact

Commit information visible through release atom endpoint for guest users

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_2024-06-25_at_12.42.26_AM.png
• Screenshot_2024-06-25_at_12.45.30_AM_Large.jpeg
• Screenshot_2024-06-25_at_12.54.19_AM.png
• Screenshot_2024-06-25_at_12.54.50_AM.png

How To Reproduce

Please add reproducibility information to this section:

Implementation guide

For the commit.message information, first check if the current user can read code for the current repository with can?(current_user, :readf_code, project).

This is a possible fix:

diff --git a/app/views/projects/releases/_release.atom.builder b/app/views/projects/releases/_release.atom.builder
index e0295a0f38fc..d815163d659a 100644
--- a/app/views/projects/releases/_release.atom.builder
+++ b/app/views/projects/releases/_release.atom.builder
@@ -9,7 +9,7 @@ xml.entry do
   xml.id        release_url
   xml.link      href: release_url
   xml.title     truncate(release.name, length: 160)
-  xml.summary   strip_signature(release.commit.message)
+  xml.summary   strip_signature(release.commit.message) unless !can?(current_user, :read_code, @project)
   xml.content   markdown_field(release, :description), type: 'html'
   xml.updated   release.updated_at.xmlschema
   xml.published release.released_at.xmlschema