Leaked Gitlab [Project, comments and merge request] on Jira issue by unauthorized users.
HackerOne report #1160440 by updatelap
on 2021-04-10, assigned to GitLab Team:
Report | Attachments | How To Reproduce
Report
Summary
Gitlab provides three ways to integrate Gitlab Projects with Jira Projects and Cases. When I compared the "Jira Integration app" method and the "Basic Jira Integration" method, I noticed that using the "Jira Integration app" is better and safer.
- GitLab for Jira Integration app: Ref
When linking the Gitlab account with Jira account by Jira Integration app you can reference Jira issues
in GitLab, displaying activity in the Development panel in the issue
.
When GitLab project has Jira issue tracker configured and enabled, mentioning Jira issues in GitLab automatically adds a comment in Jira issue with the link back to GitLab. This means that in comments in merge requests and commits referencing an issue, PROJECT-7.
Based on the previous description of two methods, I mentioned at the beginning of the report that adopting the GitLab for Jira Integration app is safer because in the case of a private GitLab project, the confidentiality of this data can be preserved when working with Integration with jira.
As you can see in the pictures, the user was not able to know any information about the Gitlab project because the administrator is only accessing the development panel for the administrator.
While the second method is not safe because it will lead to the leak of private commits, merge requests, and requests in Gitlab through comments or a web link.
As it is not possible in the Jira server to restrict access to the comments or links added in the issues and it can be viewed by any employee who has the powers to view the issues in Jira.
Steps to reproduce
(1. Install Gitlab Server Or use Gitlab cloud )
(2. Create Project and set project as private)
(3. Go to project setting > integrations > Jira )
(4. Link your Jira Account with gitlab server/Cloud) Ref
(5. install Gitlab Jira Integration app and link Jira With Gitlab by Gitlab Jira Integration app]
(6. Go to Jira project > setting > permissions {BaseUrl}/plugins/servlet/project-config//permissions and set permissions as image)
Now
(6. Refer to an issue in the Jira project and go to the issue from the administrator's
account and the user
. You will notice from the administrator’s account that there is a comment and a Development panel containing the reference information, while from the user’s
account you will see the comment only )
Impact
Therefore, I think that relying on the integration method through the GitLab for Jira Integration app is better and safer and prevents the leakage of private project information in Gitlab to unauthorized users.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
- jira_dev_panel_jira_setup_3.png
- jira_issue_reference.png
- PrivProjecInGitlab.png
- JiraAppIntef.png
- JiraPerm.png
How To Reproduce
Please add reproducibility information to this section: