Intigriti - Hack Hub
  • Misconfig Mapper Docs
    • Introduction
    • Supported Services
    • CLI Tool
    • Contributing
  • Services
    • GraphQL
      • GraphQL Introspection Query Enabled
    • Symfony PHP
      • Symfony Profiler Enabled
    • Postman API Platform
      • Public Workspaces
    • Salesforce
      • Salesforce Lightning Aura Components Enabled
    • Trello
      • View Permissions on Trello Boards
    • Figma
      • View access misconfiguration
    • Freshworks Freshservice
      • Open User Registration
    • Slack
      • No Admin Approval for Invitations
    • Atlassian Bitbucket
      • Publicly Accessible Private Repositories
    • Atlassian Confluence
      • Anonymous access to Remote API
      • Disabled XSRF Protection
      • User Email Visibility
      • Misconfigured Spaces
    • Atlassian Jira
      • Open User Registration
      • Atlassian Jira Email Visibility
      • Atlassian Jira Service Desk Open Signups
    • AWS S3
      • Misconfigured List Permissions
    • Cloudflare R2
      • R2.DEV Enabled
    • Google Groups
      • Misconfigured read permissions
    • Google Docs
      • Misconfigured read permissions
    • Google Cloud Storage Bucket
      • Misconfigured access controls
    • Google OAuth
      • Unrestricted email domains
    • Jenkins
      • Open Signups
      • Public Groovy Script Console
    • GitLab
      • Gitlab Private Source Code Snippets Exposed
    • Drupal
      • Drupal Nodes with Misconfigured Access Controls
    • Laravel
      • Debug Mode Enabled
      • Laravel Telescope Enabled In Production
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Services
  2. GitLab

Gitlab Private Source Code Snippets Exposed

PreviousGitLabNextDrupal

Last updated 12 months ago

Was this helpful?

Description:

Your GitLab instance may expose sensitive source code or private repositories if read permissions on Project Snippets have been misconfigured.

Testing:

Visit the following application route to check if anonymous users are able to read Project Snippets:

/explore/snippets

Remediation:

Make sure you select the appropriate visibility level on your shared code snippets

When for instance, you create a new code snippet, the visibility level will be set to Private by default:

Make sure to cross-check your saved settings before accidentally exposing any sensitive data.

Potential Impact:

Unintentionally exposing private source code snippets can introduce a risk to your company in case the code snippet includes hard coded secrets that can be used in further attacks, or just private source in general as it can allow unauthorized users to manually examine it.

References:

https://docs.gitlab.com/ee/user/snippets.html