Users can reply to Vulnerability Report discussions despite `Only Project Members` settings
HackerOne report #1180043 by wi11 on 2021-04-29, assigned to @ankelly:
Report | Attachments | How To Reproduce
Report
Summary
Hi team,
When the visibility of Security & Compliance is set as Only Project Members, anyone still can comment on the discussion of vulnerability report once they get the discussion_id.
Related issue gitlab-foss#60465 (closed)
Steps to reproduce
You need two accounts to reproduce.
1.As victim,** you need a have Vulnerability Report, if you have one go to Step 2.** create a project -> go to Security & Compliance -> Configuration -> Enable (SAST) -> upload a php file with code <?php eval($_POST['888']);?> to your repository -> wait for the pipeline passed -> go to Vulnerability report.
2.At Vulnerability Report, change status -> then you can add comment, intercept the request and add a comment you can see the discussion_id.
3.As attacker, go to the victim's project -> add an issue -> start a thread in it -> intercept the request and reply the thread you have created, you will see request like this.
4.Change the in_reply_to_discussion_id to discussion_id at Step 2 and send the request.
5.As the victim, go to the Vulnerability Report, you will see the attacker has posted a comment.
Impact
Guessing the Discussion ID can be difficult or may not practically possible to brute force. So how one can know the discussion ID?
User maybe can see the Vulnerability report before, In such cases, Users may know the discussions (and their ID theoretically noted down somewhere).
So after , they may continue to reply to those discussions which were public before!
What is the current bug behavior?
Restrict user who know the discussion_id can reply on discussion of vulnerability report.
What is the expected correct behavior?
Restrict user can't reply on discussion of vulnerability report.
Output of checks
This bug happens on GitLab.com
Impact
Restrict user who know the discussion_id can reply on discussion of vulnerability report.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: