Vulnerability related fields are available to unauthorized users on GraphQL API
Why are we doing this work
The Pipeline#securityReportFindings and Pipeline#securityReportSummary fields are not restricted to access from unauthorized users! I checked the original MRs introducing these fields(!54104 (merged), and !31550 (merged)) to understand if this is a regression but seems like the permission checks were missing from the beginning.
Relevant links
- I've discovered this after the thread initiated by @stanhu and the question from @adamcohen here.
Steps to reproduce
You can use the following curl command to verify that these sensitive fields are available to anyone!
If you run this command, add your IP and approximate timestamp to this table
| Who? | IP Address | Timestamp (date -u) |
|---|---|---|
@bwill |
136.49.173.76 |
Wed Dec 8 20:17:57 UTC 2021 (probably about 15-20 mins before this) |
@thiagocsf |
59.102.81.249 |
Wed Dec 8 19:48:00 UTC 2021 |
@ngeorge1 |
122.181.40.178 |
Thu Dec 9 12:02:10 UTC 2021 |
@quintasan |
31.178.237.73 |
Mon Dec 13 12:53:14 UTC 2021 |
curl 'https://gitlab.com/api/graphql' \
-H 'authority: gitlab.com' \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--data-raw '{"query":"query {\n project(fullPath: \"gitlab-org/gitlab\") {\n id\n pipeline(iid: 1031272) {\n id\n \n securityReportFindings{\n nodes {\n name\n }\n }\n \n securityReportSummary {\n dependencyScanning {\n scannedResourcesCount\n }\n }\n }\n }\n}","variables":{},"operationName":null}' \
--compressedImplementation plan
-
backend Required permissions must be applied for these fields