Skip to content

Project owner can disclose last commit and MRs, issues count of Only Project Members forks

HackerOne report #1055508 by shells3c on 2020-12-10, assigned to @rchan-gitlab:

Report | How To Reproduce

Report

Summary

If you fork a project and set your forked project repository visibility to Only Project Members (as well as issues), the project owner still can spy your project's commits + number of MRs, issues, forks

Steps to reproduce
  1. User A creates a project, calls foo
  2. User B forks the user A project, calls bar
  3. User B uses the user A project as a template, and edit the repository to fit with his company server configuration, information
  4. To prevent other users from accessing private information in his repository or reading the source code of his server, user B sets the repository and issues visibility to Only Project Members
  5. Now as user A, visit https://gitlab.com/user-A/foo/-/forks. On this page, you will able to see the user B project's last commit, with the number of merge requests, issues, forks. And by keep fetching this information every hour, user A will able to monitor user B project's commits
Output of checks

This bug happens on GitLab.com

Impact

If the malicious user can create a popular project, he can monitor repository commits of companies who use his open-source project template! And accessing forks, MRs, issues count is a big violation

How To Reproduce

Please add reproducibility information to this section: