Using the group search you can access MRs and code set as “not public” in a project
Create a public group, create a public project inside the group, but with private code.
Push some code, search in the group search the code while logged out, you will find it also if it should be private.
I provide some working links in the example section.
An attacker can extract all the private code, private MRs, private commits from a project
I am going to use customers.gitlab.com examples because it is how I actually found the problem - the search I have done are about a Hackerone report I first published. I haven’t saved any data, nor screenshot of what I have found, apart from the one attached
Resolve "Account takeover due to IDOR on customers.gitlab.com [applicable for gitlab users only]"
customer-gitlab-com
project has no public code/MRYou can do the same thing for the code:
In order to create an account for the [admin panel]
In the case of MRs, you can use also the wildcard symbol and filter by project, to extract all the private MRs:
When you filter by project, the code search stops to work, so if you want to extract all the code you have to apply custom search, but it is still feasible.
You got the point, we have also commits:
Issues are not affected by this bug
Leak of MRs overview, code, commits, and I suspect also wiki, but for some reason group search of wiki didn’t work on my personal group, and I didn’t want to look over other gitlab-org data
No search result
A MR of customers.gitlab.com I shouldn’t have access to. Notice how I am not logged in in this screenshot
This bug happens on GitLab.com
An attacker can extract all the private code, private MRs, private commits from a project