Unauthorised Guests can read pipeline list as well as pipelines themselves in project with "Public pipelines" disabled
HackerOne report #622074 by nikitastupin on 2019-06-20, assigned to jritchey:
Summary
Hi,
I've found the vulnerability in API which allows Guest to read a pipeline list as well as pipelines themselves in a project with "Public pipelines" disabled. Guest can't do so via web.
Steps to reproduce
- Create an environment: create a public project, disable "Public pipelines" (Settings -> CI/CD -> General pipelines -> Public pipelines), grant Guest permissions to some account.
- As Guest list pipelines via API
$ curl -H "Private-Token: :private_token_of_guest" https://gitlab.com/api/v4/projects/:project_id/pipelines. Note that you can't do so via web. - Copy web link to any pipeline from (2) response. Paste it to a browser with Guest session. You'll see pipeline details.
Impact
Unauthorised Guests can read pipeline list as well as pipelines themselves in project with "Public pipelines" disabled.
Examples
https://gitlab.com/nshackerone/private-project (don't look at the title, it's public project now)
What is the current bug behavior?
Unauthorised Guests can read pipeline list as well as pipelines themselves in project with "Public pipelines" disabled.
What is the expected correct behavior?
We should fix two things:
- Guest shouldn't have an access to pipeline list via https://docs.gitlab.com/ee/api/pipelines.html#list-project-pipelines endpoint. Because he can't access pipeline list via web.
- Guest shouldn't have an access to pipeline details via
https://gitlab.com/:owner/:project/pipelines/:pipeline_idweb endpoint. Because he can't access pipeline details via https://docs.gitlab.com/ee/api/pipelines.html#get-a-single-pipeline endpoint.
Output of checks
This bug happens on GitLab.com
Impact
Unauthorised Guests can read pipeline list as well as pipelines themselves in project with "Public pipelines" disabled.