Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #201806
Closed
Open
Issue created Feb 03, 2020 by GitLab SecurityBot@gitlab-securitybotReporter

Non members can add spent time and reset spent time from issues created by themselves- API

HackerOne report #755188 by ashish_r_padelkar on 2019-12-10, assigned to @ankelly:

Summary

Hello,

As per this https://docs.gitlab.com/ee/user/project/time_tracking.html

Adding time entries (time spent or estimates) is limited to project members

However, if the issue is created by non members themselves in a public project, they can add spent time and reset the spent time using APIs

  1. https://docs.gitlab.com/ee/api/issues.html#add-spent-time-for-an-issue
  2. https://docs.gitlab.com/ee/api/issues.html#reset-spent-time-for-an-issue

Steps to reproduce

  1. Create a issue as a non member in public project.
  2. If you try to use quick actions like /Spend , it wont work
  3. Now try below API
curl --request POST --header "PRIVATE-TOKEN: <Token>" https://gitlab.com/api/v4/projects/<ProjectID>/issues/<YourIssueID>/add_spent_time?duration=1h  

This will add 1h to your own issue

  1. You can also RESET the time spent by project members using below API as a non member.
curl --request POST --header "PRIVATE-TOKEN: <Token>" https://gitlab.com/api/v4/projects/<ProjectID>/issues/<YourIssueID>/reset_spent_time

What is the current bug behavior?

Allows non members to add/remove spent time on issues created by them

What is the expected correct behavior?

These 2 actions shouldn't be allowed using API too for non members

Output of checks

This bug happens on GitLab.com and might be on omnibus installations too. This is tested on gitlab.com

Regards,
Ashish

Impact

Non members can add/remove spent time on issues created by themselves using API

Assignee
Assign to
Time tracking