Restrict vulnerability pages for Reporter and below

HackerOne report #1047140 by vaib25vicky on 2020-11-30, assigned to @ngeorge1:

Report | Attachments | How To Reproduce

Why are we doing this work

The fix for the vulnerability described in https://gitlab.com/gitlab-org/gitlab/-/issues/289996 involved hiding the button in the frontend. More importantly, the backend also needs to deny the requests.

Restriction targets

• Security Dashboard (Vulnerabilities over time, Project security status)
  • root group (fka "instance") e.g.: https://gitlab.com/-/security/dashboard)
  • group; e.g.: https://gitlab.com/groups/gitlab-org/-/security/dashboard
  • project; e.g.: https://gitlab.com/gitlab-org/gitlab/-/security/dashboard
• Vulnerability Report
  • group; e.g.: https://gitlab.com/groups/gitlab-org/-/security/vulnerabilities
  • project; e.g.: https://gitlab.com/gitlab-org/gitlab/-/security/vulnerability_report
• GraphQL API
  • Endpoints that provide vulnerability counts for a project.
• REST API
  • Endpoints that create/download exports of vulnerability data.

Relevant links

• Restrict export
• Restrict vulnerability count
• Restrict vulnerability pages
• Restrict all the things

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• iss0.png
• iss1.png
• iss2.png
• iss3.png

Non-functional requirements

• Documentation:
• Feature flag:
• Performance:
• Testing:

Implementation plan

• backend block Reporter and below from requesting:
  • vulnerabilitiesCountByDay, vulnerabilitySeveritiesCount, vulnerabilityGrades endpoints in the GraphQL API
  • vulnerability_exports endpoints in the REST API
• Return 403 for Reporter and below:
  • security/vulnerabilities pages
  • security/dashboard pages
  • security/vulnerability_report page

/cc @matt_wilson @lkerr