Bypassing "Restrict access by IP address" to view snippets names of the restricted group projects

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2755911 by mateuszek on 2024-10-02, assigned to @ngeorge1:

Report | How To Reproduce

Report

1. Description:
As I can read in Gitlab docs about "Restrict group access by IP address":
(https://docs.gitlab.com/ee/user/group/access_and_permissions.html#restrict-group-access-by-ip-address)
I can read there that ONLY groups, projects names and their hierarchies can be visible from another ip addresses than restricted:

Users can still see group and project names and hierarchies. Only the following are restricted:  
Groups, including all group resources.  
Project, including all project resources.

As I understand the documentation all project resources should be restricted.

I found a scenario where we set the "Restrict access by IP address" to specified ip address then group member from another ip address can view snippets names of the projects of the PoC group - Bypassing "Restrict access by IP address" to view snippets names of the restricted group projects.

2. Scenario:

2.1. Actors:
User A - private group A owner with Gitlab public profile
User B - private group A member e.g. role Guest

2.2. Steps:

  1. User A - create the private project AP in PoC group A
  2. User A - create a private snippet APS_1 in the PoC project AP
  3. User A - in the PoC group A go to Settings -> General -> Permissions and group features and set Restrict access by IP address to specified ip address
  4. User B - try to access to the PoC group A from another ip address than specified - you should see 404 not found - expected behaviour
  5. User B - go to User A public Gitlab profile then open tab Snippets - notice that you see there the snippet APS_1 - Bypassing "Restrict access by IP address" to view snippets names of the restricted group projects
  6. User A - now, in the project AP create the new private snippet APS_2
  7. User B - refresh the tab Snippets of the public profile of User A - notice that you also see the snippet APS_2 there - Bypassing "Restrict access by IP address" to view snippets names of the restricted group projects

Best regards,
Mateusz

Impact

  • Bypassing "Restrict access by IP address" to view snippets names of the restricted group projects

How To Reproduce

Please add reproducibility information to this section: