Access control - Guest user can delete snippets at https://gitlab.com

HackerOne report #691746 by brdoors3 on 2019-09-10, assigned to akelly:

Hi team,

I found one possible access control/privilege issue related to Guest users on snippets area at https://gitlab.com

POC

I checked with support@gitlab.com if the Guest member can delete Snippets and receive this reponse

I also take a look for documentation area at https://docs.gitlab.com/ee/user/permissions.html#project-members-permissions and don't found any permission for it

1 access user one Guest member https://gitlab.com find a snippet that the Guest himself created > click to edit> Delete> Confirm

Snippet deleted

Impact

In this scenario although it should not be possible a Guest member can delete Snippets created by himself at /snippets

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• gitlab1.PNG
• gitlab2.PNG