Endpoints not enforcing allowlists

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

When an MR for logging job token permissions was merged, allowlists were accidentally enforced for endpoints which are available for fine-grained permissions.

This caused an incident, because suddenly some endpoints were not accessible like before.

We uncovered 3 endpoints that do not enforce allowlists:

1. GET /api/v4/groups/:id/-/packages/npm/*package_name
2. GET /api/v4/packages/npm/*package_name
3. GET /api/v4/groups/:id/-/packages/pypi/files/:sha256/*file_identifier

During the incident, these endpoints were denied access for customers who:

1. access one of these endpoints with a CI/CD job token
2. had CI/CD job token allowlists enabled in their project
3. had not added the group or project to which the CI/CD job token belongs to their project's allowlist

These endpoints were tagged with job_token_allowed: true and the project can be inferred from the requested package, so in theory these endpoints can/should enforce CI/CD job token allowlists.