Raw build logs can be access by anyone
I know we are checking authorize_update_build!
, but are we verifying that the user has access to that particular project? We just received this report:
Unauthorized access to raw build logs of all users
Hello Gitlab Security Team,
I would like to report a security vulnerability in the gitlab.com build feature, the issue allows anyone to see build details including sensitive credentials of other users who are using the automated build process. All of this without any authorization check in place.
Brief Overview
gitlab.com is a free online repository site which features unlimited repos.
The issue I have found is in the log generated by the build process in gitlab.com.
The issue allows anyone to have access to all the repositories on the website not just their own.
Steps to reproduce
- Tried to build a simple project
- Saw that the build log was available to look in raw format. Here is my URL (https://gitlab.com/XXX)
- Saw that the number in the URL seemed like a parameter
- By changing the number, I was able to confirm that I could see the build log of another repository that was not one of mine.
Title: Insecure Direct Object Reference (IDOR)
This type of issue is usually referred to as an Insecure Direct Object Reference and is listed at #4 in terms of OWASP Top 10 application security risks list of 2013
(https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References)
POC
- Create two accounts for ex: madhu and sri
- Login using sri and create a private repository with CI build
- Get the ID of the raw build
- Login as madhu and create another repository with CI build.
- Change the build ID with the "sri" build ID.
Mitigation
· Look at verifying that the logged in user has the authority to see the raw build log they are requesting.
/cc: @ayufan