Skip to content
GitLab
Next
    • Why GitLab
    • Pricing
    • Contact Sales
    • Explore
  • Why GitLab
  • Pricing
  • Contact Sales
  • Explore
  • Sign in
  • Get free trial
  • GitLab.org GitLab.org
  • GitLabGitLab
  • Issues
  • #347467

Vulnerability related fields are available to unauthorized users on GraphQL API

Why are we doing this work

The Pipeline#securityReportFindings and Pipeline#securityReportSummary fields are not restricted to access from unauthorized users! I checked the original MRs introducing these fields(!54104 (merged), and !31550 (merged)) to understand if this is a regression but seems like the permission checks were missing from the beginning.

Relevant links

  • I've discovered this after the thread initiated by @stanhu and the question from @adamcohen here.

Steps to reproduce

You can use the following curl command to verify that these sensitive fields are available to anyone!

If you run this command, add your IP and approximate timestamp to this table

Who? IP Address Timestamp (date -u)
@bwill 136.49.173.76 Wed Dec 8 20:17:57 UTC 2021 (probably about 15-20 mins before this)
@thiagocsf 59.102.81.249 Wed Dec 8 19:48:00 UTC 2021
@ngeorge1 122.181.40.178 Thu Dec 9 12:02:10 UTC 2021
@quintasan 31.178.237.73 Mon Dec 13 12:53:14 UTC 2021
curl 'https://gitlab.com/api/graphql' \
  -H 'authority: gitlab.com' \
  -H 'accept: application/json' \
  -H 'content-type: application/json' \
  --data-raw '{"query":"query {\n  project(fullPath: \"gitlab-org/gitlab\") {\n    id\n    pipeline(iid: 1031272) {\n      id\n      \n      securityReportFindings{\n        nodes {\n          name\n        }\n      }\n     \n      securityReportSummary {\n        dependencyScanning {\n          scannedResourcesCount\n        }\n      }\n    }\n  }\n}","variables":{},"operationName":null}' \
  --compressed

Implementation plan

  • backend Required permissions must be applied for these fields
Edited Dec 13, 2021 by Michał Zając
Assignee
Assign to
Time tracking