[Security] Security policy weaknesses report
Recently, I reported two discovered by me security-related GitLab issues using HackerOne (here and there). Unfortunately, they were rejected by the HackerOne stuff :-/.
The first one could be used to unnoticeably get permanent (write) accesses to all user repositories (and API). The second describes a scenario how to completely hijack the 2FA protected user account.
I use both gitlab.com and an on-site GitLab instance, so I'm very interested in seeing the GitLab as secure as possible. In the meantime, I tried to contact with the GitLab employee which I've met in the past, but with no luck. Therefor, this issue reported directly on GitLab (with the limited visibility scope) is my desperate attempt to get your attention on the described cases which, in my opinion, can (potentially) impact the security of GitLab's customers.
To make it clear, they are not self-contained. They need to have a corresponding XSS or MITM attack in place to steal the session cookies (or just one minute with an unlocked developer station). I'm not a professional security researcher and I don't have time and (probably also) skills to create one. However, looking at the issue history they have been dozens of the XSS attacks found in the GitHub codebase, so it is definitely possible to have that 0-day lurking in the code. I would prefer to not be exposed to it having the reported by me "possibilities" not fixed.
My findings should be considered as a security policy weaknesses (which could elevate another 0-day vulnerabilities, not 0-day vulnerabilities itself) and I strongly advise you to take a look at them, revive those tickets and implement the recommendations I proposed to counteract possible threats.
Thanks!
Marcin
P.S. CCing some security guys to make the ticket locked down (as a security report) faster: @estrike, @cmaxim, @jeremymatos, @gitlab-securitybot