Reporters can download corpus files from projects: gitlab.com/<NameSpace>/<ProjectName>/-/package_files/<>/download
HackerOne report #1485798 by ashish_r_padelkar
on 2022-02-19, assigned to @ankelly:
Report
Summary
Hello,
Corpus management feature is available for users with Developer and higher roles at https://gitlab.com/<NameSpace>/<ProjectName>/-/security/configuration/corpus_management
.
There is a missing permission check here which allows user with Reporter
role to download the corpus file uploaded in corpus management.
Steps to reproduce
- As an admin, Go to
https://gitlab.com/<NameSpace>/<ProjectName>/-/security/configuration/corpus_management
and create a new corpus. - Now login as reporter in same project and browse
https://gitlab.com/<NameSpace>/<ProjectName>/-/security/configuration/corpus_management
but you will get404
page as you dont have access to this feature. - Now directly use the url
https://gitlab.com/<NameSpace>/<ProjectName>/-/package_files/29539786/download
to download the corpus file uploaded in step1. It will successfully download.
You need to brute force the ID in above url which is possible as its numeric.
For easy reproduction steps, directly copy the download url from admin account and then browse it using reporter role.
What is the current bug behavior?
Reporter users can download corpus files which are normally available for developer and above roles
What is the expected correct behavior?
Downloading corpus files should be restricted only for developer and above roles
Output of checks
This bug happens on GitLab.com
Regards,
Ashish
Impact
Reporters can download corpus files from projects