Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #347467
Closed
Open
Issue created Dec 08, 2021 by Mehmet Emin INAC@minac🌴Maintainer

Vulnerability related fields are available to unauthorized users on GraphQL API

Why are we doing this work

The Pipeline#securityReportFindings and Pipeline#securityReportSummary fields are not restricted to access from unauthorized users! I checked the original MRs introducing these fields(!54104 (merged), and !31550 (merged)) to understand if this is a regression but seems like the permission checks were missing from the beginning.

Relevant links

  • I've discovered this after the thread initiated by @stanhu and the question from @adamcohen here.

Steps to reproduce

You can use the following curl command to verify that these sensitive fields are available to anyone!

If you run this command, add your IP and approximate timestamp to this table

Who? IP Address Timestamp (date -u)
@bwill 136.49.173.76 Wed Dec 8 20:17:57 UTC 2021 (probably about 15-20 mins before this)
@thiagocsf 59.102.81.249 Wed Dec 8 19:48:00 UTC 2021
@ngeorge1 122.181.40.178 Thu Dec 9 12:02:10 UTC 2021
@quintasan 31.178.237.73 Mon Dec 13 12:53:14 UTC 2021
curl 'https://gitlab.com/api/graphql' \
  -H 'authority: gitlab.com' \
  -H 'accept: application/json' \
  -H 'content-type: application/json' \
  --data-raw '{"query":"query {\n  project(fullPath: \"gitlab-org/gitlab\") {\n    id\n    pipeline(iid: 1031272) {\n      id\n      \n      securityReportFindings{\n        nodes {\n          name\n        }\n      }\n     \n      securityReportSummary {\n        dependencyScanning {\n          scannedResourcesCount\n        }\n      }\n    }\n  }\n}","variables":{},"operationName":null}' \
  --compressed

Implementation plan

  • backend Required permissions must be applied for these fields
Edited Dec 13, 2021 by Michał Zając
Assignee
Assign to
Time tracking