Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #388096
Closed
Open
Issue created Jan 16, 2023 by GitLab SecurityBot@gitlab-securitybotReporter

Unauthenticated users can view Environment names from public projects limited to project members only

HackerOne report #1817586 by ashish_r_padelkar on 2022-12-27, assigned to Ottilia Westerlund:

Overview

The following issue was reported by ashis_r_padelkar via HackerOne:

Hello,

I reported this similar issue before #1083430 but then it was a different permission model than now. Now there is a separate permissions that can be set specifically for Environments.

As per this https://docs.gitlab.com/ee/ci/environments/index.html, You must have at least the Reporter role. to view list of environments. However, it is possible for unauthenticated users to see the list of environment names even when environments are set to Only Project Members.

Steps to reproduce

  1. Create a public group as Group_1 and then public project underneath as Project_1.
  2. In Project_1, under Settings > General, set Environments to be visible for Only Project Members.
  3. Create few environments from the Environments page.
  4. If you browse as an unauthenticated user to the Environments page, you will get a not found error.
  5. Now browse to: /groups/Group_1/-/unfoldered_environment_names.json and you'll see a list of the environment names.

Examples

  • https://gitlab.com/groups/groupplanfree/-/unfoldered_environment_names.json

What is the current bug behavior?

Unauthenticated users can see a list of environment names despite they are set to be visible for Only Project Members.

What is the expected correct behavior?

Only project members should see the names of environments when set as Only Project Members.

Output of checks

This bug happens on GitLab.com – GitLab Enterprise Edition 15.8.0-pre 8831299643f.

Impact

Unauthenticated users can view environment names from public projects limited to project members only.

Proposal

Use a before_action to authorize a user can read environments for that particular action.

As an example, you could do something similar to EnvironmentsController:

  before_action :authorize_read_environment!, only: [:unfoldered_environment_names]
Edited Jan 27, 2023 by Ahmed Hemdan
Assignee
Assign to
Time tracking