Unauthorized time entry added via API

HackerOne report #717861 by lucky_sen on 2019-10-19, assigned to @cmaxim:

Summary

Gitlab restrict non-project member for add or edit any time entry in project issues, but via API request this restriction got easily bypassed.

Steps to reproduce

1. Create two account victim and attacker
2. Victims account have one public project with list of issues
3. Make an API request with attacker access token to add or edit victims project issue time.

curl --request POST --header "PRIVATE-TOKEN: ********" https://gitlab.com/api/v4/projects/****/issues/**/time_estimate?duration=3h30m  

4. Time tracker successfully updated on victims project

• Adding time entries (time spent or estimates) is limited to project members
  

Impact

By using API request any unauthorized user are able to make changes on public project time trackers

Thanks!

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• gitlab.png