Skip to content

Unauthorized users have access to milestones of releases

HackerOne report #709200 by xanbanx on 2019-10-07, assigned to @jeremymatos:

Hi GitLab Security Team,

Summary

GitLab allows to restrict issues and merge request for public projects to project members only. In this setting, unauthenticated users do not have access to milestones.
However, when milestones are associated to a release, unauthenticated users still have access to the full milestone (title, description, etc..)

Steps to reproduce

Tested on GitLab Enterprise Edition 12.3.0-pre f79c1794

  1. Create a public project and restrict the access to issues and merge requests to project members only
  2. Create a milestone, i.e., secret-milestone
  3. Push some code, create a git tag, i.e., my-tag, and provide release notes to create an actual release
  4. Update the release and add the milestone to the release via the API. Do this by doing the following API call: curl -X PUT -H "Private-Token: <private-token>" https://example.gitlab.com/api/v4/projects/<project-id>/releases/my-tag?milestones[]=secret-milestone
  5. As an unauthenticated user, perform the following API call: curl https://example.gitlab.com/api/v4/projects/<project-id>/releases

This returns a JSON response of all releases of this project . This JSON response include now the associated milestones similar to the example like this:

[
  {  
    ....  
    "upcoming_release": false,  
    "milestones": [  
      {  
        "id": 22,  
        "iid": 1,  
        "project_id": 3,  
        "title": "secret milestone",  
        "description": "this is a very secret milestone description",  
        "state": "active",  
        "created_at": "2019-10-07T16:15:14.911Z",  
        "updated_at": "2019-10-07T16:15:14.911Z",  
        "due_date": "2019-10-08",  
        "start_date": "2019-10-01",  
        "web_url": "https://example.gitlab.com/mynamespace/secretproject/-/milestones/1"  
      }  
    ],  
    ...  
]

These milestones are returned although the unauthorized user does not have access to milestones.

Impact

Unauthorized users have access to milestones.

Examples

Visit https://gitlab.com/api/v4/projects/14697368/releases to see the associated milestone of a release. This project normally does not allow access to milestones for unauthorized users.

What is the current bug behavior?

Uses without access to milestones can access associated milestones of releases.

What is the expected correct behavior?

If the user does not have access to issues and merge requests, the access to milestones via releases should also not be possible. Probably, there is a missing read_milestone check in https://gitlab.com/gitlab-org/gitlab/blob/master/lib%2Fapi%2Fentities.rb#L1304

Output of checks

This bug happens on GitLab.com

Best regards,
Xanbanx

Impact

See above.