Skip to content

IP Restriction Bypass through Graphql Subscription via workItemUpdated

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #3027775 by rogerace on 2025-03-10, assigned to @ngeorge1:

Report | Attachments | How To Reproduce

Report

Summary

Hope this report finds you well!

Gitlab enables group owner to restrict who can access group using IP restriction. However, this IP restriction is bypassable through graphql subscription operation, which would leak group resource to all operations allowed by subscription.

Steps to reproduce

I will leak epic information as an example. The reason I am using epic is just for ease of reproduction. You can also leak issue, but even an owner cannot view issues if restricted by IP, so it is just hard to reproduce using issue because you need to set a working IP restriction, and control a owner account within that IP range, and another account outside that IP range.

  1. Using gitlab ultimate account, create a public group and a public project.
  2. Create an epic in that group, give it any name.
  3. Using an owner account, go to group settings, and restrict IP to 1.1.1.1. Don't worry, group owners can access group settings regardless of IP restriction.
  4. Use another browser to log in any authenticated gitlab account (attacker). This account does not need to have any connection with the group. And you can see it cannot access anything in this group. It cannot see anything, and everything in this group would be 404 to this guest.
  5. Switch back to the owner account, check the epic just created. Check the http request made either in browser devtool or burpsuite, and you will find many graphql request, look through them, and you will find a mention of workItemId with the format of gid://gitlab/WorkItem/{ID}, copy it.
  6. Switch back to the attacker account, go to https://gitlab.com/-/graphql-explorer, and paste in the following query, remember to change the workItemId to yours.
subscription WorkItemUpdated {  
    workItemUpdated(workItemId: "YOUR_WORKITEM_ID") {  
        archived  
        closedAt  
        confidential  
        createNoteEmail  
        createdAt  
        description  
        descriptionHtml  
        duplicatedToWorkItemUrl  
        id  
        iid  
        lockVersion  
        movedToWorkItemUrl  
        name  
        promotedToEpicUrl  
        reference  
        state  
        title  
        titleHtml  
        updatedAt  
        userDiscussionsCount  
        webUrl  
    }  
}
  1. Send the request.
  2. Switch back to the owner account, edit the epics. And you will see your edit is reflected in the attacker graphql response.
What is the current bug behavior?

IP restriction is bypassed using graphql subscription

What is the expected correct behavior?

IP restriction should not be bypassed using graphql subscription

Screencast_From_2025-03-10_15-34-46.webm

Impact

PR: None, since we only need an authenticated account, which is free to register, and this account does not need to have anything to do with the victim.
Confidentiality: High, since we can leak every update.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: