Guest User Able to View SHA of Releases in Private Projects
HackerOne report #764761 by rafiem
on 2019-12-26, assigned to @estrike:
Hi Team, i have found information disclosure in private projects. When user is invited as guest in private projects, user able to get the release information of the projects, but guest user cannot view the tag name and SHA of the commit in the release page or API. Recent update of gitlab (12.6), there is a feature to filter merge requests and issue based on releases. Turns out the endpoint to get the release name exposed the tag name and SHA to the guest user of private projects.
Proof of Concept
1.) User A create a private projects
2.) User A then create example tag/release in the project
3.) User A invite User B as Guest User to the project
4.) User B then access the releases.json endpoint, in this case : https://gitlab.com/jumbre/jumsol/-/releases.json
5.) User B get this following response, which is exposing tag name and SHA commit used in the release (in Guest Role)
[
{
"id": 1160330,
"tag": "xzc",
"description": "asd",
"project_id": 16040312,
"created_at": "2019-12-26T13:29:21.376Z",
"updated_at": "2019-12-26T13:29:21.376Z",
"author_id": 4887622,
"name": "xzc",
"sha": "51d3c429cc21be061a460ab8823e1e8e6be8cd04",
"released_at": "2019-12-26T13:29:21.373Z"
},
{
"id": 1160327,
"tag": "xxx",
"description": "asdasd",
"project_id": 16040312,
"created_at": "2019-12-26T13:27:37.059Z",
"updated_at": "2019-12-26T13:27:37.059Z",
"author_id": 4887622,
"name": "xxx",
"sha": "51d3c429cc21be061a460ab8823e1e8e6be8cd04",
"released_at": "2019-12-26T13:27:37.055Z"
}
]
History
It seems this vulnerability was introduced by !18761 (merged) (merged). It doesn't filter out release properties by user permission. Actually, we had exactly the same issue gitlab-foss#56402 (closed) (closed) in the past. We fixed the vulnerable API but seems the above MR introduced a new endpoint to expose release entries without proper permission check.
Impact
Exposed SHA commit of private projects to guest user
Best Regards,
[@]rafiem