Guests and Reporters will be unable to approve External Status Checks

Release notes

Problem to solve

Within a Merge Request, the External Status Check's entire URL is made available to all Developers, Maintainers, Owners. But anyone with Guest or Reporter access will be unable to load (and thus approve) Merge Requests.

Anonymous Users (don't see it at all):

Screen_Shot_2022-09-15_at_9.53.19_AM

Logged-in User/Guest/Reporter (sees it but it will always show as failed to load and then once these are "blocking", reporters won't be able to approve - they can today):

Screen_Shot_2022-09-15_at_9.49.49_AM

Developers/Maintainers (see the status check and URL so the only way to send a "secret/token" (via URL as no POST data is able to be configured) is exposed for all Developers to see which could thus be used to send spoofed payloads):

Screen_Shot_2022-09-15_at_10.02.02_AM

  • The only "protection" in place to ensure that GitLab was indeed the sender of the webhook payload is by validating the sender's IP Address and ensuring that it's within the GitLab IP Range.
  • By not making the URL Params visible, it would allow for "tokens" to be passed there.

Proposal

  1. Allow all users to see and load external status check if they have access to the project.
  2. Scrub all Parameters from the URL (anything after the ?) so that tokens can be passed
    1. Owners see everything
    2. Trimming the URL for developers / maintainers
    3. Everybody else sees just a Name.

Intended users

Feature Usage Metrics

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited by Nick Malcolm