Service accounts allow for deleting anyone's workflows/chats on all of GitLab.com

Summary

After some investigation the flaw seems to only be exploitable for deleting flows. What this means is that anyone that can create a service account on GitLab.com (anyone with an Ultimate license without a trial) can go around deleting the workflows or agentic chats of any other user on GitLab.com. They just need the id and the ids are auto-incrementing so can be easily guessed.

Details

I just spotted https://gitlab.com/gitlab-org/gitlab/-/blob/98332e3287c485768c7cf736e7e1195332b38fae/ee/app/policies/ai/duo_workflows/workflow_policy.rb#L15 was added in !183510 (merged) .

It seems to say that any service account can access the workflows of any user. But there are additional checks in place in that file which ensure the service account is a developer+ in the project/namespace the flow was created in. Agentic chat only has limits that the user needs to be able to use agentic chat anywhere and they can read the project. So it seemed like public projects might been at risk. Then per #561399 (comment 2689158521) it seems we don't have any way to actually assign a Duo Add-On license to service accounts. This mitigated both of these risks because the service account make it past the license check.

Unfortunately we don't have any logic, not even license checks, to prevent service accounts from deleting flows in projects/namespaces that don't belong to them so according to https://gitlab.com/gitlab-org/gitlab/-/blob/0b50d93b47643114d2b2beafbad3b55a2a26d0dc/ee/app/policies/ai/duo_workflows/workflow_policy.rb#L56 this would imply that anyone on GitLab.com with a service account, from any group, can delete the workflows of any other user by just guessing the ids (which are auto-incrementing).

Context

This logic was intended for the specific globally owned service account we create for Duo Workflow but it is allowing any user with a service account to access data belonging to other users which is not intended to be shared across the project/group.

What data is in a workflow?

The kinds of private things you can read in a workflow are:

  1. goal: the prompt from the user in agentic chat or otherwise
  2. first_checkpoint: contains all the internal state of the workflow and likely lots of customer data
Edited by Dylan Griffith (ex GitLab)