Unauthorized access to reading branch names when Repository and all its assets are disabled in the project

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2862754 by mateuszek on 2024-11-24, assigned to @ottilia_westerlund:

Report | Attachments | How To Reproduce

Report

1. Description:
I found a scenario where attacker can read branch names when Repository and all its assets are disabled in the project - Unauthorized access to reading branch names when Repository and all its assets are disabled in the project.

2. Scenario:

2.1. Actors:
User A - owner of the public group A and owner of the public project A_PROJ (project inside group A)
User B - developer of the public group A and developer of the public project A_PROJ (project inside group A)

2.2. Steps:

1. User A - in the PoC project A_PROJ go to: Secure -> On-demand scans and create the new scan by clicking New scan
2. User A - in the PoC project A_PROJ go to: Settings -> General -> Visibility, project features, permissions -> Repository and turn off this feature and all its assets.
3. User B - in the PoC project A_PROJ go to: Secure -> On-demand scans and notice that you see branch names without any problems - Unauthorized access to reading branch names when Repository and all its assets are disabled in the project - [screenshot1.png]

Best regards,
Mateuszz

Impact

• Unauthorized access to reading branch names when Repository and all its assets are disabled in the project

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• screenshot1.png

How To Reproduce

Please add reproducibility information to this section: