Backend: Schedule pipelines are visible to unauthenticated users despite public pipeline disabled
HackerOne report #2036470 by ashish_r_padelkar
on 2023-06-23, assigned to @ottilia_westerlund:
Report | Attachments | How To Reproduce
Report
Summary
Hello,
As per this documentation, https://docs.gitlab.com/ee/ci/pipelines/settings.html#change-which-users-can-view-your-pipelines
when public pipelines are disabled from the public projects, guest or unauthenticated users wont see CI/CD menu items
and can only see pipeline and job statuses.
For Public projects, job logs, job artifacts, the pipeline security dashboard, and the CI/CD menu items are visible only to project members (Reporter or higher). Other users, including guest users, can only view the status of pipelines and jobs, and only when viewing merge requests or commits.
However, any unauthenticated user can see the pipelines that are scheduled to run by admins even when public pipelines are disabled and this Schedule Pipeline
is one of the menu items from CI/CD
.
Steps to reproduce
1.As a public project admin, go to your CI/CD
settings at https://gitlab.com/<groupNamespace>/<projectNamespace>/-/settings/ci_cd
and clear the public pipeline checkbox. Make sure you save this settings.
2.Add schedule pipelines here at https://gitlab.com/<groupNamespace>/<projectNamespace>/-/pipeline_schedules
.
3.Now as any unauthenticated user, go to https://gitlab.com/<groupNamespace>/<projectNamespace>/-/pipeline_schedules
and you see those schedule pipelines which they shouldn't as per documentation provided above.
What is the current bug behavior?
Any unauthenticated user can see schedule pipelines despite public pipeline being disabled.
What is the expected correct behavior?
It should be visible only to Reporters and higher role users.
Output of checks
This bug happens on GitLab.com. GitLab Enterprise Edition 16.2.0-pre 2a4d9de2b78
Regards,
Ashish
Impact
Schedule pipelines are visible to unauthenticated users despite public pipeline disabled
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: