Unauthorized Incident Closure and Deletion by Planner Role in GitLab

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2914644 by sp4rrow on 2024-12-26, assigned to @kmorrison1:

Report | Attachments | How To Reproduce

Report

Summary

The Planner role in GitLab can close and delete incidents, despite the documented prerequisite requiring at least the Reporter role to perform these actions. This violates role-based access control (RBAC) policies and may lead to unauthorized modifications or deletions

Steps to reproduce

1. Log in to GitLab as a user with the Planner role for a specific project.
2. Navigate to the project’s Incidents section.
3. Select an active incident from the list.
   Perform the following actions:

(Please note I have consolidated the issues of the Planner role being able to close and delete incidents into a single comprehensive bug report):

       a. Attempt to close the incident.  
       b.  Attempt to delete the incident.

Observe that both actions are successfully executed, contrary to the documented prerequisites.
https://docs.gitlab.com/ee/operations/incident_management/manage_incidents.html#close-an-incident

Impact

Unauthorized closure and deletion of incidents can disrupt incident response workflows, tamper with historical data, and undermine the integrity of incident tracking and reporting.

What is the current bug behavior?

The user with the Planner role is able to close and delete incidents, bypassing the documented prerequisites.

What is the expected correct behavior?

A user with the Planner role should be restricted from closing or deleting incidents. These actions should be permitted only for users with at least the Reporter role, as per the RBAC policy.
https://docs.gitlab.com/ee/operations/incident_management/manage_incidents.html#close-an-incident

Relevant logs and/or screenshots

attached is the video Planner_close_delete_incident.mov

Impact

The Planner role in GitLab can improperly close and delete incidents, violating the documented prerequisite requiring at least the Reporter role. This vulnerability undermines the role-based access control (RBAC) framework, allowing users with limited permissions to disrupt ongoing incident resolution workflows, erase vital incident data, and manipulate project metrics. Such actions could lead to significant operational delays, compromised audit trails, and a loss of trust in the incident management process, impacting organizational transparency and accountability.

Impacts for Closing an Incident:

1. Disrupted Incident Response: Premature closure of an active incident can halt resolution workflows, leading to unresolved issues and prolonged downtime.
2. Misleading Metrics: Closed incidents are often considered resolved, potentially skewing performance metrics and misrepresenting the team's efficiency.

Impacts for Deleting an Incident:

1. Loss of Critical Data: Deleting an incident erases historical records necessary for audits, compliance, and root cause analysis (RCA).
2. Accountability Issues: Removal of incident data can obscure responsibility and prevent accurate tracking of actions taken during an incident.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_2024-12-26_at_18.17.27.png
• Planner_close_delete_incident.mov

How To Reproduce

Please add reproducibility information to this section: