Security & compliance disabled still Information and Functionality are exposed

HackerOne report #1100555 by vaib25vicky on 2021-02-11, assigned to @rchan-gitlab:

Report | Attachments | How To Reproduce

Report

Summary

There is a access control issue in security & compliance which allows malicious user to access information as well as delete or edit them.

Steps to reproduce
  • Create a PUBLIC project and disable security & compliance from the Settings > General > Visibility, project features, permissions

s1.png

  • For simple POC, let us configure a DAST PROFILE https://gitlab.com///-/security/configuration/dast_profiles#site-profiles

s2.png

  • Go to add member and invite someone with developer access. Lets say Vicky
  • Vicky after going over the project don't see security & compliance tab because it is disable by the maintainer
  • But he can directly access the security & compliance all features by directly going over the URL.

https://gitlab.com/<owner>/<project>/-/security/configuration/dast_profiles
https://gitlab.com/<owner>/<project>/-/security/dashboard
https://gitlab.com/<owner>/<project>/-/security/vulnerability_report
https://gitlab.com/<owner>/<project>/-/on_demand_scans
https://gitlab.com/<owner>/<project>/-/threat_monitoring

  • The Vicky can access sensitive information and he can also DELETE or EDIT them.
  • Go to DAST PROFILE we created in previous step and delete the profile. It will be deleted.

s3.png

  • The other parts of security & compliance are also effected such as vulnerability report, dashboard, dast profiles etc.
What is the current bug behavior?

Maintainer disabled security & compliance but still dev of the project can ACCESS & DELETE/EDIT them

What is the expected correct behavior?

Disabled security & compliance should not be accessible by anyone.

Output of checks

This bug happens on GitLab.com. (not sure about instance)

Impact

Security & compliance disabled still Information and Functionality are exposed. Attacker can ACCESS as well as DELETE/EDIT them.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: