Access to pipelines and jobs via API although feature disabled
HackerOne report #448115 by xanbanx on 2018-11-21:
Hi GitLab security team,
GitLab supports CI/CD by means of pipelines containing build jobs. However, if users do not need this features, project owner can disable this feature under https://mygitlab.com/<namespace>/<project-name>/edit#js-shared-permissions
. While this disables the frontend of these features, the corresponding API still gives access to pipelines and jobs.
Steps to reproduce
Tested on GitLab 11.5.0 RC13
- Create a project, add some code such that a CI pipeline runs
- Under
https://mygitlab.com/<namespace>/<project-name>/edit#js-shared-permissions
disable the CI pipelines - Perform the following API request:
curl --header "PRIVATE-TOKEN: <MY-TOKEN>" "https://mygitlab.example.com/api/v4/projects/<project-id>/pipelines"
This returns the past pipelines for the project. Similar to that also GET /projects/:id/pipelines/:pipeline_id
succeeds. Also job information can be queried via GET /projects/:id/jobs
or GET /projects/:id/pipelines/:pipeline_id/jobs
Impact
It allows users to get access to previous build information, which feature should be disabled.