Security Exceptions

Greetings… My security team is having kittens over some minor security exceptions they found while scanning. they have reported to me /api/v4/projects is open and project data is exposed. How can I secure this? It shouldnt matter where in the system we are you should always have to authenticate to access any information. Is this possible?


What is the exact URL they are using to verify this? Because this is not possible. If projects are private or internal, then without authenticating with an API token, then no data will appear. Therefore, if project data is being returned, then they are using a header parameter with:

"PRIVATE-TOKEN: api-access-token"

or, if using just a URL, then your project visibility is public. If they aren’t using a token, in the web interface, select a project that they could see from the list. Go to Settings → General → Visibility, project features, permissions and then see what you actually have enabled here. If they are public, change to internal or private.

I have verified this on mine, so it’s simply not possible to show it without authenticating with a token unless the project visibility is public.

The URL they are complaining about is this one

They are saying the data exposed is a security violation and needs to be remedied. The rest of the site is inaccessible but this one is open. They said in the exception report that it has something to do with how the project has groups assigned to it. It appears that only one user has set his projects so they can be viewed. I need to figure out a way to stop this regardless of what the user sets it to.

Here is the resolution they offered.


This can be fixed by restricting which groups can be added to a project by a user. The issue itself originates from line 11 of the Projects ::GroupLinksController , which can be found at app/controllers/ projects /group_links_controller.rb .

So, did you check on your Gitlab server the items I told you to check? Did you see if the projects are marked as public, internal or private?

Remediation: change the project from public to private or internal, so that it isn’t available without authenticating. Alternatively, check the group settings and see what visibility is there as well and make sure it also is private or internal.

I have all my projects on my own Gitlab server set to internal or private, and my server is available on the internet. And making such a request with the same URL format like yours doesn’t provide any results.

I suggest as per my previous post to check the settings that I told you to check and make sure that group is private or internal, or that the project is private or internal. You don’t need to edit any RB files.

I did. The one project was marked as public which I changed. Do you know of a way to disable or remove public as an option?

I found a setting for it. Thank you for your help.

OK, yes I verified, the last remaining project is no longer showing anymore. This afternoon when you replied it was still open and public. But now it’s not, so all good :+1:

Yes, Settings → General → Visibility and access controls → Restricted visibility levels → Select Public.

That way public will no longer be an available option for people to select. Only admins will be able to choose public.