Access to pipelines and jobs via API although feature disabled
HackerOne report #448115 by xanbanx on 2018-11-21:
Hi GitLab security team,
GitLab supports CI/CD by means of pipelines containing build jobs. However, if users do not need this features, project owner can disable this feature under
https://mygitlab.com/<namespace>/<project-name>/edit#js-shared-permissions. While this disables the frontend of these features, the corresponding API still gives access to pipelines and jobs.
Steps to reproduce
Tested on GitLab 11.5.0 RC13
- Create a project, add some code such that a CI pipeline runs
https://mygitlab.com/<namespace>/<project-name>/edit#js-shared-permissionsdisable the CI pipelines
- Perform the following API request:
curl --header "PRIVATE-TOKEN: <MY-TOKEN>" "https://mygitlab.example.com/api/v4/projects/<project-id>/pipelines"
This returns the past pipelines for the project. Similar to that also
GET /projects/:id/pipelines/:pipeline_id succeeds. Also job information can be queried via
GET /projects/:id/jobs or
It allows users to get access to previous build information, which feature should be disabled.