Guest Users can create issues for Sentry errors and track their status
HackerOne report #1117768 by maruthi12
on 2021-03-05, assigned to GitLab Team:
Report
Summary
According to the permission docs and Error Tracking Docs , only User with role Reporter
or more can see or modify the Error Tracking details. However, the "Create Issue" allows a particular Guest
user to create a reference issue for the error and track its status whenever some other user resolves it.
Steps to reproduce
(Step-by-step guide to reproduce the issue, including:)
-
Consider a private project with
Guest
role user. -
Connect
Sentry
to this project from theMaintainer
account. -
And create new issues in Sentry. This automatically populates these errors in https://gitlab.com/project_name/-/error_tracking/.
-
Now, consider the request for creating an issue.
POST Data format for this is as follows:
issue[title]=Title issue[description]= Description issue[sentry_issue_attributes][sentry_issue_identifier]=Error_Id authenticity_token= your_auth_token
-
Change
Error_Id
parameter to some Error's reference id value (this is basically Sentry's Error id). -
Now, execute the request from
Guest
's session. This creates an issue for that particular error. -
Now, go to the
Maintainer
's login and resolve the error. This will close the issue that created by theGuest User
with the message[@]Maintainer resolved the corresponding error and closed the issue
.
Impact
Using this vulnerability, Guest Users can create issues for Sentry errors and track their Status.
How To Reproduce
Please add reproducibility information to this section: