Restrict vulnerability pages for Reporter and below
HackerOne report #1047140 by vaib25vicky
on 2020-11-30, assigned to @ngeorge1:
Report | Attachments | How To Reproduce
Why are we doing this work
The fix for the vulnerability described in https://gitlab.com/gitlab-org/gitlab/-/issues/289996 involved hiding the button in the frontend. More importantly, the backend also needs to deny the requests.
Restriction targets
- Security Dashboard (Vulnerabilities over time, Project security status)
- root group (fka "instance") e.g.: https://gitlab.com/-/security/dashboard)
- group; e.g.: https://gitlab.com/groups/gitlab-org/-/security/dashboard
- project; e.g.: https://gitlab.com/gitlab-org/gitlab/-/security/dashboard
- Vulnerability Report
- GraphQL API
- Endpoints that provide vulnerability counts for a project.
- REST API
- Endpoints that create/download exports of vulnerability data.
Relevant links
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
-
backend block Reporter and below from requesting: -
vulnerabilitiesCountByDay
,vulnerabilitySeveritiesCount
,vulnerabilityGrades
endpoints in the GraphQL API -
vulnerability_exports
endpoints in the REST API
-
-
Return 403 for Reporter and below: -
security/vulnerabilities
pages -
security/dashboard
pages -
security/vulnerability_report
page
-
/cc @matt_wilson @lkerr
Edited by Lindsay Kerr