Able to reach group/subgroup's project using dashboard activity to bypass IP Restriction for Group
HackerOne report #632025 by ngalog
on 2019-06-29:
Summary
As mentioned here https://docs.gitlab.com/ee/user/group/index.html#restrict-group-access-by-ip-address
User should not be able to access the group's any stuff after the IP restriction, but I can still accessed the issues/MR/epic title using dashboard activity
This is a possible duplicate of #632023, feel free to close as dupe if they share the same root cause.
Steps to reproduce
- As a member of the target group, star the projects that you already have accessed to
- Visit https://gitlab.com/groups/:group/-/edit#js-permissions-settings and make the ip restriction to 127.0.0.1
- As a member of the group, visit your dashboard, and click activity, and see star project's activity, and you can still see the ip restricted project's information/events
Impact
Bypass IP restriction for group's member
Examples
able to reproduce in gitlab.com
What is the current bug behavior?
bypass ip restriction in UI
What is the expected correct behavior?
Should prevent all ways to disclose info wit IP
Impact
.
Edited by Drew Blessing