Skip to content

Leak branch names of projects with confidential repository

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2666216 by shells3c on 2024-08-16, assigned to @cmaxim:

Report | How To Reproduce

Report

Steps to reproduce
  1. Create a project with the repository visibility set to Only Project Members
  2. Create a branch, let's say fix-123-abcd
  3. From another browser, without logging in, go to https://gitlab.com/-/graphql-explorer and paste this payload (replace with your project path):
   query {  
     project(fullPath: "<YOUR PROJECT PATH HERE>") {  
       protectableBranches  
     }  
   }
  1. Now you will see the branch you just created
Output of checks

This bug happens on GitLab.com

Impact

Branch names can contain sensitive information, especially when the default branch name template of all projects is %{id}-%{title}, therefore branches that address issues contain the title of the issues themself, which can be sensitive a lot of the time.

An example where the impact could be critical is gitlab-org/security/gitlab, as it has security-${title} as its branch name template (Luckily the project is private, so it's not vulnerable).

How To Reproduce

Please add reproducibility information to this section: