Bypass of #421299 Able to Comment on Locked Discussion on Public Project
HackerOne report #458319 by ngalog on 2018-12-07:
Summary: After issue/mr is locked in public project, non-member couldn't comment on the thread. However by changing the discussion_id to the locked thread discussion_id, unauthorised user could still comment on the locked issue/mr with that discussion_id
PoC
Visit here and you will see there is another guy replying to this long locked issue
Steps To Reproduce on gitlab.com:
- Visit a public project with a locked issue/mr, example here
- Look at burp requests, look for a request look like this
https://gitlab.com/gitlab-org/gitlab-ce/issues/46779/discussions.json
- Search for last discussion_id, jot down the value
- Open a new issue in same public project
- start a new discussion in that issue
- Start burp intercept, replace discussion_id to the discussion id you jot down earlier
- Tada, you can once again reply on a locked issue/mr
Intercept this request
POST /gitlab-org/gitlab-ce/notes?target_id=16400981&target_type=issue HTTP/1.1
Host: gitlab.com
....
in_reply_to_discussion_id={replace_me}&target_type=issue&note%5Bnote%5D=another+poc
Impact
Able to comment on issues even they are locked/confidential
Attachments
Warning: Attachments received through HackerOne, please exercise caution!