User with expired password can still access sensitive info
HackerOne report #1348738 by joaxcar
on 2021-09-22, assigned to @vdesousa:
Report | Attachments | How To Reproduce
Report
Summary
When a users password expired the user can not access the GitLab instance before providing a new one. The user will not be able to view projects or groups, and not the merge request list in these projects where the user previously had access.
The latest patch to GitLab introduces a RSS feed for tracking updates to a projects merge requests. This feed is available to the user even after the rest of Gitlab is blocked due to password expiration.
This could be related to my previous report where a user with expired password could access the API, but I have not been able to confirm that.
(This also affect users who have retrieved a RSS feed prior to a "terms of service" is put in place by an admin. The user will be prompted with "accept or log out", if the user click deny and log out the user will not be able to access internal or private projects anymore. But can still access the RSS feeds!)
Steps to reproduce
- Create two users, one admin
admin1
and one useruser1
- Log in as
admin1
and create a private projectproject1
on https://gitlab.domain.com/projects/new#blank_project - Create a branch on https://gitlab.joaxcar.com/admin1/project1/-/branches/new and and click "create merge request" when the branch is created
- Create a merge request to main
- Go to https://gitlab.domain.com/admin1/project1/-/project_members and invite
user1
as aDeveloper
to the project - Log out and log in as
user1
- Go to https://gitlab.domain.com/admin1/project1/-/merge_requests
- Click the RSS icon
- Save the path to the RSS feed in a separate tab
- Log out and log in as
admin1
- Go to the admin page for editing
user1
https://gitlab.domain.com/admin/users/user1/edit and change the users password. This triggers "password expired at" to be set to the current time. Effectively putting theuser1
in the state of "expired password" - Log out
- Refresh the tab with the RSS feed and confirm that it still can access the feed.(This is done as
user1
)
Impact
A user with expired password can still access information about merge requests in internal and private projects
What is the current bug behaviour?
RSS feeds are accessible by users that have expired password
What is the expected correct behaviour?
RSS feeds should be blocked for users with expired password as the rest of GitLab
Output of checks
This bug happens on GitLab.com
Impact
A user with expired password can access a stream of information from internal and private projects which should be out of reach.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section:
@bdenkovych
update
While reading the codebase I noticed that there are lots of endpoints that authenticate users with an expired passwords. Here is the list:
- User
-
/:username.atom
- this endpoint is publicly available, but when a user is authenticated response contains private info
-
- Dashboard issues
/dashboard/issues.atom
/dashboard/issues.ics
- Dashboard projects
/dashboard/projects.atom
- Group
/*id.atom
/groups/*id/-/issues.atom
/groups/*id/-/issues.ics
- Project
/*namespace_id/:id.atom
- Project commits
/*namespace_id/:project_id/-/commits/*id?format=atom
- Project tags
/*namespace_id/:project_id/-/tags?format=atom
- Project issues
/*namespace_id/:project_id/-/issues.atom
/*namespace_id/:project_id/-/issues.ics
- Project merge requests
/*namespace_id/:project_id/-/merge_requests.atom
- Project raw files with external storage
-
/*namespace_id/:project_id/-/raw/*id
-
- Project archive with external storage
/*namespace_id/:project_id/-/archive/*id(.:format)
- https://docs.gitlab.com/ee/administration/static_objects_external_storage.html#serving-private-static-objects
- GraphQL
-
/api/graphql
with PAT
-
You can reproduce this issue for all those endpoints by following similar steps described for /*namespace_id/:project_id/-/merge_requests.atom
.
As mentioned in #343247 (comment 713877122), users like LDAP and OmniAuth users should retain access even with an expired password.
In https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/2042 I added test cases to cover all these endpoints.