Last commit message, description & sha1 hash of a private repo in a private group is leaked to guest users through merge request (#351823) · Issues · GitLab.org / GitLab

Last commit message, description & sha1 hash of a private repo in a private group is leaked to guest users through merge request

**[HackerOne report #1465994](https://hackerone.com/reports/1465994)** by `albatraoz` on 2022-01-31, assigned to `GitLab Team`: [Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce) ## Report ##### Summary Commit related details like commit message, description, sha1, etc are leaked to demoted guest users who should not have access to the repository of a private project according to the [permission model](https://docs.gitlab.com/ee/user/permissions.html#project-members-permissions). This information is leaked through a fork of the project created by the user(reporter/developer) before being demoted to guest. Once being demoted to guest, the user is able to sneak all the latest commits to the parent branch. ##### Steps to reproduce 1. Create a private project in a group as user A. 2. Add User B as a reporter to this project. 3. As User B create a fork of the project on you personal namespace. 4. As User A demote User B to guest from the group settings. 5. As User B visit the forked repo & go to the create new merge request. In the target branch you will see the parent branch is selected & the commit message is being leaked. 6. As User A add a new commit message to the parent branch. 7. As User B refresh the page opened in step 5 & you will see the latest commit added by User A in step 6. ##### POC Attaching a video as POC for easier reproduction of the issue ![commit_leak.mp4](https://h1.sec.gitlab.net/a/379b0a6a-1ceb-4efc-9569-5e6e26149eb2/commit_leak.mp4) #### Impact An attacker would be able to snoop into commit messages on the default branch even after being demoted to guest user. These commit messages or descriptions may include confidential information to the repo like unreleased features/ vulnerability information, etc ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [commit_leak.mp4](https://h1.sec.gitlab.net/a/379b0a6a-1ceb-4efc-9569-5e6e26149eb2/commit_leak.mp4) ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues

issue