Public projects "Only Project Members" issues configuration bypass via "serviceDeskAddress" being inferable by everyone

HackerOne report #1497561 by jimeno on 2022-03-02, assigned to @cmaxim:

Report

Summary

When a project is Public but has issue tracker configured for only project members it shouldn't be possible for any non-project member to create a issue in it.

However, the service desk email inbox address can be inferred by the attacker. They follow the same pattern. Always.

contact-project+PROJECTOWNERUSERNAME-PROJECTNAME-PROJECTID-issue-[@]incoming.gitlab.com

For Publc projects, all of these are Public:

PROJECTOWNERUSERNAME -> username of the project owner
PROJECTNAME -> project name (seen in the URL when viewing the project)
PROJECTID -> shown by GitLab to all users who have view access to the project. Thus, for all users on Public projects

Here you can see how non-project members aren't supposed to view serviceDeskAddress of these projects.

![Captura_de_pantalla_2022-03-02_a_las_12.27.27.png](https://h1.sec.gitlab.net/a/dfd2034b-c7d2-47aa-8c7b-23b9e68541fd/Captura_de_pantalla_2022-03-02_a_las_12.27.27.png)

Steps to reproduce

Setup

Create a Public project
Go to visibility settings, make sure Issues are enabled but only for Project Members

Attacker

Browse the the project
Build the email address by replacing the values
Open your email (the one with which the attacker signed up to GitLab)
Send an email with "Test" in subject and body
Wait ~3 minutes

Victim

Refresh the issues list on your Project and notice a issue was created by someone who wasn't supposed to be able to do so.

Impact

Unauthenticated users can create issues on Public projects besides them being configured as "Only project members" being able to use the issue tracker/create issues.

Examples

Please, note you won't be able to view the created issue since it's Confidential, but I'm adding a screenshot of it.

https://gitlab.com/naaytesting/publicproject-no-issue-tracker/

![Captura_de_pantalla_2022-03-02_a_las_12.25.51.png](https://h1.sec.gitlab.net/a/a2efa480-d263-41d7-bee9-acd8476bd54b/Captura_de_pantalla_2022-03-02_a_las_12.25.51.png)

What is the current bug behavior?

Unauthenticated users can create issues on Public projects besides them being configured as "Only project members" being able to use the issue tracker/create issues.

What is the expected correct behavior?

Issues received through the serviceDeskAddress aren't created if the email sender isn't a member of the project OR serviceDeskAddress for public projects with issues being configured only for project members gets randomized in a way it cannot be inferred by project visitors.

Relevant logs and/or screenshots

N/A

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

N/A I only tested this against the SaaS environment.

Impact

Unauthenticated users can create issues on Public projects besides them being configured as "Only project members" being able to use the issue tracker/create issues.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section:

Proposed Fix

Add a warning when enabling Service Desk for a public project that it will be possible to infer the address from the visible group and project name. Something like, "As this project is public, it will be possible for non-members to infer the Service Desk email address."
We could also update the docs to match this slightly.

Edited Jul 14, 2022 by John Hope