Unbounded fields in Work Items API
This is a security issue.
Make sure the changes are NOT implemented in gitlab repo, but rather https://gitlab.com/gitlab-org/security/gitlab
See https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/engineer.md for details
Problem description
There are a couple of array fields on WorkItems API that have no limits set, thus allowing users to craft quite heavy queries.
Fields
The current fields that are accepting arrays without limits are:
-
milestoneTitle,assigneeUsernames,iids,labelName(defined inSharedFilterArguments) -
ORfilter:assignee_usernamesauthor_usernameslabel_names
-
NOTfilter:assignee_usernamesauthor_usernamelabel_namemilestone_title
Potential fix
Set a limit of 100 same as already implemented for parent_ids and release_tag.
Note: 100 is quite an arbitrary number at the moment, but we can keep it that way until we have a specific use case when it has to be more/less.
How to test
Click to expand some sample queries
Can be tested in https://gitlab.com/-/graphql-explorer
query milestones {
project(fullPath: "gitlab-org/gitlab") {
workItems(first: 100, milestoneTitle: ["18.1", "18.2"]) {
edges {
node {
title
id
}
}
}
}
}
query notMilestones {
project(fullPath: "gitlab-org/gitlab") {
workItems(first: 100, not: {milestoneTitle: ["18.1", "18.2"]}) {
edges {
node {
title
id
}
}
}
}
}
query labelNames {
project(fullPath: "gitlab-org/gitlab") {
workItems(first: 100, labelName: ["group::knowledge", "group::source-code"]) {
edges {
node {
title
id
}
}
}
}
}
query orLabelNames {
project(fullPath: "gitlab-org/gitlab") {
workItems(first: 100, or: {labelNames: ["group::knowledge", "group::source-code"]}) {
edges {
node {
title
id
}
}
}
}
}Edited by Alisa Frunza