Skip to content

IDOR in epic notes api, also reveals historical information if it was promoted from issue

HackerOne report #538109 by ashish_r_padelkar on 2019-04-14, assigned to hackerjuan:

Summary

Hello,

There are couple of issues here in EPIC notes api
https://docs.gitlab.com/ee/api/notes.html#list-all-epic-notes

Issue1

The API GET /groups/:id/epics/:epic_id/notes has an IDOR issue. ie. It lists the notes of EPIC without checking the groups.

For eg, https://gitlab.com/api/v4/groups/<REDACTED public_group_id/epics/<REDACTED epic_id>/notes

Above will list notes from REDACTED epic_id EPIC where as REDACTED public_group_id is a group that doesnt belong to this EPIC. So if you just sequentially run the IDs of epic, it will work.

Note that REDACTED epic_id is the internal ID of EPIC

However, this only discloses notes from PUBLIC groups only but this need fixing

Issue2

This is more of a security issue because it leaks information which ideally not visible publicly.

For eg, if a EPIC is promoted from issue which belongs to private project, it may contain private information like milestone, labels applied to the issue before promoting to an epic. This API response disclose everything!

Steps to reproduce

  1. Go to https://gitlab.com/api/v4/groups/<AnyPublicGroupID>/epics/<EPIC_IID>/notes

  2. Just keep changing <EPIC_IID> in above requests and you will see notes belongs to other groups.

  3. Also see the responses, This discloses more information of epic historical activities from timeline if it was promoted from issues

Examples POC

  1. Go to https://gitlab.com/groups/<REDACTED private group>/-/epics/<REDACTED epic ID>
  2. You will see few activities there and not much information . But there is a information there which you can not see because this epic was promoted from private project.
  3. Now go to https://gitlab.com/api/v4/groups/<REDACTED public_group_id>/epics/<REDACTED epic_id>/notes
  4. In response, you will see more information which you cant see in UI. The information includes milestone, labels from private project that was applied before it was promoted to EPIC from issue!

What is the current bug behavior?

IDOR+Info disclosure in EPIC note api

What is the expected correct behavior?

EPIC note api should only work for EPIC that belong to that group and should not disclose historical information if it was promoted from private project issue

This bug happens on GitLab.com

Regards,
Ashish

Impact

EPIC note api works for any group (works for public groups only)

EPIC notes API response discloses historical information when it was promoted from private project issue


Related Security Issue: https://dev.gitlab.org/gitlab/gitlabhq/issues/2875

Edited by Jeremy Matos