Not logged in users can query information about existing users

Hello!

We are running self-managed omnibus GitLab instance v14.1.7 and we are getting “attacked” by bots.
I have found that even not logged in users can perform searchs and figure out usernames and try to brute force.

https://gitlab.example.com/search?group_id=&project_id=&repository_ref=&scope=users&search=aaa&snippets=false

The link above shows the way you can make queries and since 3 letters are required to get a result of the matching users people need ~17k requests to get all of the users dumped. Here’s a screenshot:

We’re currently auto banning ip-s that make multiple login failures with fail2ban, but is there a way to remove access to non logged users whatsoever?

Thanks in advance.

1 Like

I think you need to look in your settings. I amended the url you provided above placing my domain name, and whilst the search option is there, zero results are provided, even when I know exactly what I am searching for. So you must have something enabled in your settings for your Gitlab install that is causing this.

In particular this:

Set restricted visibility levels public enabled so that only logged in users can see stuff. This is under General → Visibility and Access Controls.

1 Like

Thanks this was exactly the case!

1 Like