Not logged in users can query information about existing users


We are running self-managed omnibus GitLab instance v14.1.7 and we are getting “attacked” by bots.
I have found that even not logged in users can perform searchs and figure out usernames and try to brute force.

The link above shows the way you can make queries and since 3 letters are required to get a result of the matching users people need ~17k requests to get all of the users dumped. Here’s a screenshot:

We’re currently auto banning ip-s that make multiple login failures with fail2ban, but is there a way to remove access to non logged users whatsoever?

Thanks in advance.

1 Like

I think you need to look in your settings. I amended the url you provided above placing my domain name, and whilst the search option is there, zero results are provided, even when I know exactly what I am searching for. So you must have something enabled in your settings for your Gitlab install that is causing this.

In particular this:

Set restricted visibility levels public enabled so that only logged in users can see stuff. This is under General → Visibility and Access Controls.

1 Like

Thanks this was exactly the case!

1 Like