Private objects exposed through project import
HackerOne report #767770 by nyangawa
on 2020-01-03, assigned to @jeremymatos:
Summary
This is a bypass of https://hackerone.com/reports/743953 , the current fix is blocking all "_ids" attributes. However an attacker could still set attributes like issue_ids
by indrectly settings the field within the attributes
field it self:
# project.json
"attributes": {
"issue_ids": [ 29279725 ],
"description": "Set from attributes[description]"
},
Steps to reproduce
- Import the attached tarball.
- Check issues tab
The other parts of the report are mostly same as those I mentioned in https://hackerone.com/reports/743953 , I decide to write a new report considering the impact to gitlab.com.
Impact
With this ability to modify relations between objects, an attacker could end up with accessing random resources of other users by traversing the incremental ID space.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!