Todos are not redacted when membership changes - Access to (confidential) issues and merge requests
HackerOne report #880863 by vaib25vicky on 2020-05-22, assigned to @vdesousa:
Summary
This vulnerability was fixed in gitlab-foss#54349 (closed) , but it reappears maybe due to some new changes and one is able to reproduce the vulnerability to access confidential issues and MRs.
All issues and MRs used to get redacted after one hour grace period but it is not happening anymore.
The vulnerability only affects when user permissions changes from higher to lower. If user is removed from the project then the to-dos are getting redacted.
Steps to reproduce
- Create a
privateproject to see the problem for both confidential issues and MRs, or apublicone just for confidential issues (MRs allowed) - Owner of the project added a user with
Repositoryaccess level. - User adds issues and MRs to his to-dos list
- Owner changes user access level to
Guest - Guest then use the api and get access to all new changes to the issues and MRs.
curl --header "PRIVATE-TOKEN: <User A Token>" https://mygitlab.example.com/api/v4/todos
Impact
User still has access to (confidential) issues and merge requests after permission was removed.
What is the current bug behavior?
Bug still allows low access level user Guest to access confidential issues and MRs
What is the expected correct behavior?
Redact the confidential issues and MRs
PoC
In the image below, you can see MRs and issues are not redacted even after 2 hours.
Output of checks
This bug happens on GitLab.com
Impact
Todos are not redacted when membership changes - Access to (confidential) issues and merge requests
Attachments
Warning: Attachments received through HackerOne, please exercise caution!