Group search leaks private MRs, code, commits
HackerOne report #692252 by rpadovani
on 2019-09-11:
Corresponding security issue: https://dev.gitlab.org/gitlab/gitlab-ee/issues/381
Summary
Using the group search you can access MRs and code set as "not public" in a project
The following combination would leak:
Details
ProjectService merge request
search project_level: :public, feature_access_level: :private, membership: :non_member, expected_count: 0 respects visibility
search project_level: :internal, feature_access_level: :private, membership: :non_member, expected_count: 0 respects visibility
search project_level: :private, feature_access_level: :enabled, membership: :non_member, expected_count: 0 respects visibility
search project_level: :private, feature_access_level: :private, membership: :non_member, expected_count: 0 respects visibility
GroupService merge request search
project_level: :public, feature_access_level: :private, membership: :non_member, expected_count: 0 respects visibility
project_level: :internal, feature_access_level: :private, membership: :non_member, expected_count: 0 respects visibility
GroupService code search
project_level: :public, feature_access_level: :private, membership: :non_member, expected_count: 0 respects visibility
project_level: :internal, feature_access_level: :private, membership: :non_member, expected_count: 0 respects visibility
Steps to reproduce
Create a public group, create a public project inside the group, but with private code.
Push some code, search in the group search the code while logged out, you will find it also if it should be private.
I provide some working links in the example section.
Impact
An attacker can extract all the private code, private MRs, private commits from a project
Examples
I am going to use customers.gitlab.com examples because it is how I actually found the problem - the search I have done are about a Hackerone report I first published. I haven't saved any data, nor screenshot of what I have found, apart from the one attached
- Go to https://gitlab.com/gitlab-org in a private window
- In the top right bar, insert
Resolve "Account takeover due to IDOR on customers.gitlab.com [applicable for gitlab users only]"
- Select "Merge requests"
- You see in the search result a MR that should be private, since the
customer-gitlab-com
project has no public code/MR - Link: https://gitlab.com/search?group_id=9970&project_id=&repository_ref=&scope=merge_requests&search=Resolve+%22Account+takeover+due+to+IDOR+on+customers.gitlab.com+%5Bapplicable+for+gitlab+users+only%5D%22
You can do the same thing for the code:
- Go to https://gitlab.com/gitlab-org in a private window
- In the top right bar, insert
In order to create an account for the [admin panel]
- Select "Code"
- You see a piece of the README of customers.gitlab.com, which has a private code
- Link: https://gitlab.com/search?group_id=9970&repository_ref=&scope=blobs&search=In+order+to+create+an+account+for+the+%5Badmin+panel%5D&snippets=#
In the case of MRs, you can use also the wildcard symbol and filter by project, to extract all the private MRs:
When you filter by project, the code search stops to work, so if you want to extract all the code you have to apply custom search, but it is still feasible.
You got the point, we have also commits:
Issues are not affected by this bug
What is the current bug behavior?
Leak of MRs overview, code, commits, and I suspect also wiki, but for some reason group search of wiki didn't work on my personal group, and I didn't want to look over other gitlab-org data
What is the expected correct behavior?
No search result
Relevant logs and/or screenshots
A MR of customers.gitlab.com I shouldn't have access to. Notice how I am not logged in in this screenshot
Output of checks
This bug happens on GitLab.com
Impact
An attacker can extract all the private code, private MRs, private commits from a project
Attachments
Warning: Attachments received through HackerOne, please exercise caution!