Guest users have access to all Job information via the API
HackerOne report #447264 by xanbanx on 2018-11-19:
For private projects, guest users do not have access to CI jobs if public CI pipelines are deactivated. However, the API endpoints
GET /projects/:id/jobs and
GET /projects/:id/pipelines/:pipeline_id/jobs do not check for the correct permission and therefore cause an information leak. This gives a malicious user access to private information like the commits and commit messages, branch names, tag names, etc.
Steps to reproduce
This was tested on GitLab 11.5.0 RC12
- Create private project and disable public pipelines at
- Add a guest user to the project
- As the guest user perform the following API request:
curl --header "PRIVATE-TOKEN: <GUEST-USER-TOKEN>" 'https://mygitlab.example.com/api/v4/projects/<project_id>/jobs
This will return all jobs as a JSON response.
The API endpoint
GET /projects/:id/jobs is implemented in
jobs.rb and looks like the following.
desc 'Get a projects jobs' do success Entities::Job end params do use :optional_scope use :pagination end # rubocop: disable CodeReuse/ActiveRecord get ':id/jobs' do builds = user_project.builds.order('id DESC') builds = filter_builds(builds, params[:scope]) builds = builds.preload(:user, :job_artifacts_archive, :job_artifacts, :runner, pipeline: :project) present paginate(builds), with: Entities::Job end
Here, the first line in the implementation should be
authorize_read_builds! to proper check for the permission. The same holds true for the second API endpoint.
Guest users have access to private information of CI jobs.