Merge request CI metrics still returned for users without CI access

HackerOne report #705960 by xanbanx on 2019-10-01, assigned to @ankelly:

Hi GitLab security team,

Summary

It seems the report #546860 did not yet fixed properly. While the related request https://example.gitlab.com/<namespace>/<public-project-name>/merge_requests/1/test_reports.json , the metrics are still accessible via https://example.gitlab.com/<namespace>/<public-project-name>/merge_requests/1/metrics_reports.json

For public projects, GitLab allows to restrict CI pipelines to project members only (public pipelines disabled). However, in this case, the merge request widget still renders the CI metrics result, which is the outcome of a CI pipeline. These metrics are output of the CI job and should only be displayed if the visiting user has access to CI. However, right now GitLab displays the metric changes regardless of the CI permission.

Steps to reproduce

Tested on GitLab Enterprise Edition 12.3.0-pre a91e743e

  1. Create a public project and push a .gitlab-ci.yml with following content:
metrics:    
  script:    
    - echo 'my_metric first_value' > metrics.txt    
  artifacts:
    reports:    
      metrics: metrics.txt

  1. Create a merge request (assuming with iid 1) by modifying the .gitlab-ci.yml file, especially by hanging the metrics line, e.g., to - echo ''my_metric new_value' > metrics.txt

  2. Restrict the visibility of CI pipelines to project members only and disable public pipelines

  3. As an anonymous user, visit the page https://example.gitlab.com/<namespace>/<public-project-name>/1

You see the metrics widget rendered although the user does not have access to CI. Behind the scenes, the JSON endpoint https://example.gitlab.com/<namespace>/<public-project-name>/merge_requests/1/metrics_reports.json loads this data and reveals the metrics information to unauthorized users.

Impact

Users without proper access level have access to metrics information.

Examples

Goto test-public-wroup-wter-test/test-metrics!1.json to see the metrics leaked.

What is the current bug behavior?

Users without access to CI have access to metrics, which are tied to a merge request and are an output of CI.

What is the expected correct behavior?

Users without proper access level should not have access to metrics.

Output of checks

This bug happens on GitLab.com

Best regards,
Xanbanx

Impact

See above.

Edited by Furkan Ayhan