GitLab: Group search leaks private MRs, code, commits

Summary

Using the group search you can access MRs and code set as “not public” in a project

Steps to reproduce

Create a public group, create a public project inside the group, but with private code.
Push some code, search in the group search the code while logged out, you will find it also if it should be private.

I provide some working links in the example section.

Impact

An attacker can extract all the private code, private MRs, private commits from a project

Examples

I am going to use customers.gitlab.com examples because it is how I actually found the problem - the search I have done are about a Hackerone report I first published. I haven’t saved any data, nor screenshot of what I have found, apart from the one attached

1. Go to https://gitlab.com/gitlab-org in a private window
2. In the top right bar, insert Resolve "Account takeover due to IDOR on customers.gitlab.com [applicable for gitlab users only]"
3. Select “Merge requests”
4. You see in the search result a MR that should be private, since the customer-gitlab-com project has no public code/MR
5. Link: https://gitlab.com/search?group_id=9970&project_id=&repository_ref=&scope=merge_requests&search=Resolve+"Account+takeover+due+to+IDOR+on+customers.gitlab.com+[applicable+for+gitlab+users+only]"

You can do the same thing for the code:

1. Go to https://gitlab.com/gitlab-org in a private window
2. In the top right bar, insert In order to create an account for the [admin panel]
3. Select “Code”
4. You see a piece of the README of customers.gitlab.com, which has a private code
5. Link: https://gitlab.com/search?group_id=9970&repository_ref=&scope=blobs&search=In+order+to+create+an+account+for+the+[admin+panel]&snippets=#

In the case of MRs, you can use also the wildcard symbol and filter by project, to extract all the private MRs:

https://gitlab.com/search?utf8=✓&snippets=&scope=merge_requests&repository_ref=&search=*&group_id=9970&project_id=2670515

When you filter by project, the code search stops to work, so if you want to extract all the code you have to apply custom search, but it is still feasible.

You got the point, we have also commits:

• https://gitlab.com/search?utf8=✓&snippets=&scope=commits&repository_ref=&search=Merge+branch+'433-idor-fix'+into+'staging'&group_id=9970

Issues are not affected by this bug

What is the current bug behavior?

Leak of MRs overview, code, commits, and I suspect also wiki, but for some reason group search of wiki didn’t work on my personal group, and I didn’t want to look over other gitlab-org data

What is the expected correct behavior?

No search result

Relevant logs and/or screenshots

A MR of customers.gitlab.com I shouldn’t have access to. Notice how I am not logged in in this screenshot

Output of checks

This bug happens on GitLab.com

Impact

An attacker can extract all the private code, private MRs, private commits from a project