Skip to content

The content of the private project remains available after users are removed from the project members

HackerOne report #1162509 by 0xn3va on 2021-04-13, assigned to @vdesousa:

Report | Attachments | How To Reproduce

Report

Summary

Gitlab allows users with a developer role to create merge requests from an upstream project to a forked one. Users can use it for reading all changes in a particular branch, even an owner removes them from project members.

Steps to reproduce

  1. Log in as an user1

  2. Create and initialize a private project

  3. Add an user2 to the project with a developer role

  4. Log in as the user2

  5. Fork the project

  6. Create a merge request from user1:master (the upstream project) to user2:master (the forked project) with the following request:

    POST /<user1>/<private-project>/-/merge_requests HTTP/1.1  
...

utf8=%E2%9C%93&authenticity_token=<token>&merge_request%5Btitle%5D=Title&merge_request%5Bsource_project_id%5D=<forked-project-id>&merge_request%5Bsource_branch%5D=<upstream-branch-name>&merge_request%5Btarget_project_id%5D=forked-project-id&merge_request%5Btarget_branch%5D=<forked-branch-name>

  7. Log in as the user1 and remove the user2 from members (set the Also unassign this user from related issues and merge requests checkbox)

    Screenshot_2021-04-13_at_15.47.07.png

  8. Create a file in the upstream project

  9. Log in as the user2, go to the merge request; all changes are available

Impact

The content of the private project remains available after users are removed from the project members

What is the current bug behavior?

After the user is removed from the private project members, the content in a particular branch can be read via MR into the forked project.

What is the expected correct behavior?

Access to the content of the private project must be denied after removing the user from the members.

Results of GitLab environment info
$ gitlab-rake gitlab:env:info

System information  
System:		Ubuntu 20.04  
Proxy:		no  
Current User:	git  
Using RVM:	no  
Ruby Version:	2.7.2p137  
Gem Version:	3.1.4  
Bundler Version:2.1.4  
Rake Version:	13.0.3  
Redis Version:	6.0.10  
Git Version:	2.29.0  
Sidekiq Version:5.2.9  
Go Version:	unknown

GitLab information  
Version:	13.10.2-ee  
Revision:	cc4224220e6  
Directory:	/opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:	PostgreSQL  
DB Version:	12.6  
URL:		http://0xn3va.gitlab.local  
HTTP Clone URL:	http://0xn3va.gitlab.local/some-group/some-project.git  
SSH Clone URL:	git@0xn3va.gitlab.local:some-group/some-project.git  
Elasticsearch:	no  
Geo:		no  
Using LDAP:	no  
Using Omniauth:	yes  
Omniauth Providers: gitlab

GitLab Shell  
Version:	13.17.0  
Repository storage paths:  
- default: 	/var/opt/gitlab/git-data/repositories  
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell  
Git:		/opt/gitlab/embedded/bin/git

Impact

The contents of the private project remain available after users are removed from the project members

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: