Unauthenticated users can view Environment names from public projects limited to project members only
HackerOne report #1817586 by ashish_r_padelkar on 2022-12-27, assigned to Ottilia Westerlund:
Overview
The following issue was reported by ashis_r_padelkar via HackerOne:
Hello,
I reported this similar issue before #1083430 but then it was a different permission model than now. Now there is a separate permissions that can be set specifically for
Environments.As per this https://docs.gitlab.com/ee/ci/environments/index.html,
You must have at least the Reporter role.to view list of environments. However, it is possible for unauthenticated users to see the list of environment names even when environments are set toOnly Project Members.
Steps to reproduce
- Create a public group as
Group_1and then public project underneath asProject_1. - In
Project_1, under Settings > General, setEnvironmentsto be visible forOnly Project Members. - Create few environments from the Environments page.
- If you browse as an unauthenticated user to the Environments page, you will get a not found error.
- Now browse to:
/groups/Group_1/-/unfoldered_environment_names.jsonand you'll see a list of the environment names.
Examples
What is the current bug behavior?
Unauthenticated users can see a list of environment names despite they are set to be visible for Only Project Members.
What is the expected correct behavior?
Only project members should see the names of environments when set as Only Project Members.
Output of checks
This bug happens on GitLab.com – GitLab Enterprise Edition 15.8.0-pre 8831299643f.
Impact
Unauthenticated users can view environment names from public projects limited to project members only.
Proposal
Use a before_action to authorize a user can read environments for that particular action.
As an example, you could do something similar to EnvironmentsController:
before_action :authorize_read_environment!, only: [:unfoldered_environment_names]