Last build status and coverage leaked to unauthorized users
HackerOne report #477222 by
xanbanx on 2019-01-09, assigned to
GitLab CI supports creating badges for the latest build/coverage on a certain branches. However, with restricted access, where users do not have access to pipelines, users still have access to the build/coverage status of any branch. This access works for different configurations:
- For public projects with restricted pipeline access, any user (the user does not need to be signed in) has access to this information
- For internal projects with restricted pipeline access, any authenticated user has access to this information
- For private projects, any Guest user of that project has access to this information
Steps to reproduce
- Create a public repo, configure CI, and push some code. Consider the project namespace to be
test/cibadgesin these steps.
- Restrict the visibility of whole repo to
Project Members Onlyand disable
Public buildsin the CI settings
- As a non-authenticated user visit the following page:
This will return a SVG image showing the build status of the
master branch. This works for any other branch as well. The same thing also works with the coverage badge accessible via the following link
The same works for the other configurations as mentioned above.
Even if repos and therefore also pipelines are completely disabled, the last build status/coverage still can be retrieved via the badges link.
Steps to mitigate
Perform proper authorization check handling a badge request
Users with restricted pipeline access can see the build/coverage status for different branches