Non members can add spent time and reset spent time from issues created by themselves- API
HackerOne report #755188 by ashish_r_padelkar
on 2019-12-10, assigned to @ankelly:
Summary
Hello,
As per this https://docs.gitlab.com/ee/user/project/time_tracking.html
Adding time entries (time spent or estimates) is limited to project members
However, if the issue is created by non members themselves in a public project, they can add spent time and reset the spent time using APIs
https://docs.gitlab.com/ee/api/issues.html#add-spent-time-for-an-issue
https://docs.gitlab.com/ee/api/issues.html#reset-spent-time-for-an-issue
Steps to reproduce
- Create a issue as a non member in public project.
- If you try to use quick actions like
/Spend
, it wont work - Now try below API
curl --request POST --header "PRIVATE-TOKEN: <Token>" https://gitlab.com/api/v4/projects/<ProjectID>/issues/<YourIssueID>/add_spent_time?duration=1h
This will add 1h
to your own issue
- You can also RESET the time spent by project members using below API as a non member.
curl --request POST --header "PRIVATE-TOKEN: <Token>" https://gitlab.com/api/v4/projects/<ProjectID>/issues/<YourIssueID>/reset_spent_time
What is the current bug behavior?
Allows non members to add/remove spent time on issues created by them
What is the expected correct behavior?
These 2 actions shouldn't be allowed using API too for non members
Output of checks
This bug happens on GitLab.com and might be on omnibus installations too. This is tested on gitlab.com
Regards,
Ashish
Impact
Non members can add/remove spent time on issues created by themselves using API