IDOR in epic notes api, also reveals historical information if it was promoted from issue
HackerOne report #538109 by ashish_r_padelkar
on 2019-04-14, assigned to hackerjuan
:
Summary
Hello,
There are couple of issues here in EPIC notes api
https://docs.gitlab.com/ee/api/notes.html#list-all-epic-notes
Issue1
The API GET /groups/:id/epics/:epic_id/notes
has an IDOR issue. ie. It lists the notes of EPIC without checking the groups.
For eg, https://gitlab.com/api/v4/groups/<REDACTED public_group_id/epics/<REDACTED epic_id>/notes
Above will list notes from REDACTED epic_id
EPIC where as REDACTED public_group_id
is a group that doesnt belong to this EPIC. So if you just sequentially run the IDs of epic, it will work.
Note that REDACTED epic_id
is the internal ID of EPIC
However, this only discloses notes from PUBLIC groups only but this need fixing
Issue2
This is more of a security issue because it leaks information which ideally not visible publicly.
For eg, if a EPIC is promoted from issue which belongs to private project, it may contain private information like milestone, labels applied to the issue before promoting to an epic. This API response disclose everything!
Steps to reproduce
-
Go to
https://gitlab.com/api/v4/groups/<AnyPublicGroupID>/epics/<EPIC_IID>/notes
-
Just keep changing
<EPIC_IID>
in above requests and you will see notes belongs to other groups. -
Also see the responses, This discloses more information of epic historical activities from timeline if it was promoted from issues
Examples POC
- Go to
https://gitlab.com/groups/<REDACTED private group>/-/epics/<REDACTED epic ID>
- You will see few activities there and not much information . But there is a information there which you can not see because this epic was promoted from private project.
- Now go to
https://gitlab.com/api/v4/groups/<REDACTED public_group_id>/epics/<REDACTED epic_id>/notes
- In response, you will see more information which you cant see in UI. The information includes milestone, labels from private project that was applied before it was promoted to EPIC from issue!
What is the current bug behavior?
IDOR+Info disclosure in EPIC note api
What is the expected correct behavior?
EPIC note api should only work for EPIC that belong to that group and should not disclose historical information if it was promoted from private project issue
This bug happens on GitLab.com
Regards,
Ashish
Impact
EPIC note api works for any group (works for public groups only)
EPIC notes API response discloses historical information when it was promoted from private project issue
Related Security Issue: https://dev.gitlab.org/gitlab/gitlabhq/issues/2875