Access to Locked files of Restricted Repository Project(Information Disclosure)
HackerOne report #439714 by vijay_kumar1110 on 2018-11-13:
##Summary & Description : In the Project -- > settings -- > general -- > permissions you can restrict Access of repository "Only project member " . Once you make these changes then no other user should be able to access your project repository or any related details. But Locked Files section in the Repository is Still Accessible for any user which also discloses information about Files,Branches,Users etc. In the reproduction i have restricted almost all other sections too and disabled the public pipelines Also.
##Vulnerable API request : https://gitlab.com/[Username]/[project_name]/path_locks
Steps To Reproduce:
Take 2 different accounts to reproduce this issue.
- Login from Victim account and create a project.
- Keep the Project as internal/Public and set Only project members permission for Repository.
- I would recommend you to restrict all other sections and make the Public pipeline Disabled as permissions doesn't mix up.
- Now only member should be able to access repository and no other user should be able to access any details of repository.
- Now login from attacker account and go to the project.
- Now you will notice that this user doesn't have access to repository section of the project and if you have disabled other section , he might not be able to access other sections too. That means this user shouldn't be able to access any repository details of this project.
- Now Run above mentioned API request with valid project_name .
- You will notice that particular page is still publicly accessible.
Supporting Material/References:
Let me know if you require one.
Impact
Access to Locked files of Restricted Repository Project(Information Disclosure)