Owners lack visibility into the configuration of Jira connections
Problem
From #393956 (comment 1503776189):
A group owner has no way of knowing if a group is connected to the GitLab for Jira app, as this information doesn't appear anywhere in the GitLab UI.
Group owners usually expect to have full visibility and access of all aspects of the group.
This can lead to situations where data is sync'd to Jira projects without the full knowledge of group owner/admins.
Proposal
Display (somewhere and somehow) that a group is connected to GitLab for Jira app within the GitLab UI.
Original HackerOne description
This MR was originally a security issue.
Click to see original HackerOne description
⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.
HackerOne report #1882712 by vaib25vicky
on 2023-02-22, assigned to @fvpotvin:
Report
Summary
When we integrate Gitlab with Jira cloud app, we first authorize the Jira app. The GitLab.com user only needs access when adding a new namespace. For syncing with Jira, Gitlab do not depend on the user’s token.
And when Gitlab with Jira cloud app is integrated with the group, there is no settings or options from where we can disable it from Gitlab.
Using above two observations it is possible for a malicious maintainer of the group to always have access to the group's projects information, even after he/she is removed.
The attack flow is like:
- Maintainer integrate his Jira cloud with Gitlab group
- Maintainer then later kicked out of the Gitlab group
- Since, there is no option of disabling Jira cloud app integration in Gitlab. Owners of the group won't know about his integration and won't be able to disable it too.
- Any future commits or merge requests when use maintainer Jira project key then Gitlab sends the information about them to the maintainer Jira cloud project.
One caveat here is that why group members mentions removed maintainer Jira project key to their commit message or merge requests.
To solve this, attacker can do two things,
- first he can choose a Jira project key with most common use in commits/merge-requests
such asTHE
,AS
,FIX
,BUG
ETC - second if in future any other member of the group integrates Jira cloud with Gitlab group then attacker can guess the other member Jira project key and then creates a new project in his own Jira cloud instance to creates similar project key. Gitlab then sends commits/merge-reqs/branch information to both the Jira integration.
Steps to reproduce
Testing to be done on Gitlab.com and your Jira cloud.
Lets say there's owner OWNER OWR
and you are a Maintainer M
in the group.
As Maintainer M
- Follow Gitlab official documentation https://docs.gitlab.com/ee/integration/jira/connect-app.html#install-the-gitlab-for-jira-cloud-app
there's even a video walkthrough on the same page in doc - After you successfully integrated your Gitlab group to your Jira cloud Instance.
- In your Jira project, change the project key to
BUG
As OWNER OWR
- Remove maintainer from the group
- Creates a new private project in your group
- Creates a new commit with msg
BUG-1 fix
- Or you can also creates a new merge request with title
BUG-1 fix
You will see that all new merge requests or commits with message mentioning BUG
are appearing in the Maintainer M
Jira project
Impact
Removed maintainer can still access sensitive information of the projects using Gitlab Jira cloud app
How To Reproduce
Please add reproducibility information to this section: