Model Experiments in public project can be removed by anonymous user

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2037702 by ashish_r_padelkar on 2023-06-25, assigned to @greg:

Report | Attachments | How To Reproduce

Report

Summary

Hello,

As per this document https://docs.gitlab.com/ee/user/project/ml/experiment_tracking/index.html#explore-model-candidates, You must have at least the Developer role to view experiment data.

However, this is not true as of now as anyone including non members in public projects can see the the experiments and even allowed to remove them. Also, in private projects too, guest users (part of the team) can see and delete it too.

Steps to reproduce

1.Go to your public project https://gitlab.com/<groupNamespace>/<projectNamespace>/-/ml/experiments and setup mlflow client as per documentation.
2.Once you set it up correct, they will appear on the same page.
3.Now log in as any guest user (without project membership) and you can still see the and delete these experiments.(Click on the experiment name and then click on 3 dots to delete)

4.Similarly, in private projects, login as guest user and navigate to https://gitlab.com/<groupNamespace>/<projectNamespace>/-/ml/experiments and you will be able to see them as well as guest user in private project where as document clearly says it needs Developer role. You can delete it too!
5.This way, anyone guest user (without membership ) in public projects can see and remove experiments as well as guest in private project can do the same which is against the documentation.

Examples

You can see my public project experiments here https://gitlab.com/groupjune23/latest_project/-/ml/experiments which you can see and delete without being part of the team.

What is the current bug behavior?

Model Experiments can be removed by non project members in public projects and guest in private projects

What is the expected correct behavior?

Guest users in private projects should not see experiments.
Non project members should not be able to delete experiments from public project.

Output of checks

This bug happens on GitLab.comGitLab Enterprise Edition 16.2.0-pre 2a4d9de2b78

Regards,
Ashish

Impact

Model Experiments can be removed by non project members in public projects and guest in private projects

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screen_Shot_2023-06-25_at_5.35.03_PM.png

How To Reproduce

Please add reproducibility information to this section: