Skip to content

Non members can add spent time and reset spent time from issues created by themselves- API

HackerOne report #755188 by ashish_r_padelkar on 2019-12-10, assigned to @ankelly:

Summary

Hello,

As per this https://docs.gitlab.com/ee/user/project/time_tracking.html

Adding time entries (time spent or estimates) is limited to project members

However, if the issue is created by non members themselves in a public project, they can add spent time and reset the spent time using APIs

  1. https://docs.gitlab.com/ee/api/issues.html#add-spent-time-for-an-issue
  2. https://docs.gitlab.com/ee/api/issues.html#reset-spent-time-for-an-issue

Steps to reproduce

  1. Create a issue as a non member in public project.
  2. If you try to use quick actions like /Spend , it wont work
  3. Now try below API
curl --request POST --header "PRIVATE-TOKEN: <Token>" https://gitlab.com/api/v4/projects/<ProjectID>/issues/<YourIssueID>/add_spent_time?duration=1h

This will add 1h to your own issue

  1. You can also RESET the time spent by project members using below API as a non member.
curl --request POST --header "PRIVATE-TOKEN: <Token>" https://gitlab.com/api/v4/projects/<ProjectID>/issues/<YourIssueID>/reset_spent_time

What is the current bug behavior?

Allows non members to add/remove spent time on issues created by them

What is the expected correct behavior?

These 2 actions shouldn't be allowed using API too for non members

Output of checks

This bug happens on GitLab.com and might be on omnibus installations too. This is tested on gitlab.com

Regards,
Ashish

Impact

Non members can add/remove spent time on issues created by themselves using API