Skip to content

CI metrics for MRs are accessible for users without CI access

HackerOne report #546860 by xanbanx on 2019-04-23, assigned to estrike:

Summary

GitLab added a new feature to upload a metrics file as part of a CI job. GitLab parses this file and displays the changes in metrics as part of the merge request widget. These metrics are output of the CI job and should only be displayed if the visiting user has access to CI. However, right now GitLab displays the metric changes regardless of this permission.

For public projects, GitLab allows to restrict CI pipelines to project members only (public pipelines disabled). However, in this case, the merge request widget still renders the metrics result, which is the outcome of a CI pipeline.

Steps to reproduce

This is reproducible on gitlab.com. It requires at least a silver plan to have the metrics feature available.

  1. Create a public project and push a .gitlab-ci.yml with following content:
metrics:  
  script:  
    - echo 'my_metric value' > metrics.txt  
  reports:  
    metrics: metrics.txt
  1. Create a merge request (assuming with iid 1) by changing the .gitlab-ci.yml file, especially by changing the metrics line, e.g., to - echo 'my_metric new_value' > metrics.txt
  2. Restrict the visibility of CI pipelines to project members only and disable public pipelines
  3. As an anonymous user, visit the page https://example.gitlab.com/<namespace>/<public-project-name>/merge_requests/1/merge_requests/1
  4. You see the metrics widget rendered although the user does not have access to CI. Behind the scenes, the JSON endpoint https://example.gitlab.com/<namespace>/<public-project-name>/merge_requests/1/merge_requests/1/metrics_report.json loads this data and reveals the metrics information to unauthorized users.

What is the current bug behavior?

Users without access to CI have access to metrics, which are tied to a merge request and are an output of CI.

What is the expected correct behavior?

Users without proper access level should not have access to metrics.

Best regards,
Xanbanx

Impact

Users without proper access level have access to metrics information.

Security Workflow Issue: https://dev.gitlab.org/gitlab/gitlabhq/issues/2895

Edited by drew stachon