Guest in private project can see CI/CD Analytics
HackerOne report #1074326 by ashish_r_padelkar
on 2021-01-08, assigned to @dcouture:
Report
Summary
Hello,
This is most probably documentation error but reporting this as you have mentioned in policy Reports about intended behavior resulting in an update of our documentation will be rewarded with a $100 bounty, as long as this update is security related.
As per document of user permission, https://docs.gitlab.com/ee/user/permissions.html
, Guest should not be able to see View CI/CD analytics
I think it is wrongly mentioned as guest can see CI/CD Analytics in private projects. Not too sure if there are any recent changes though but in any case, either document or code need fixing!
Steps to reproduce
- Login as guest in private project and you can see CI/CD Analytics option and can browse too!
Regards,
Ashish
Impact
Guest in private project can see CI/CD Analytics
How To Reproduce
Please add reproducibility information to this section: