Project statistics attribute is accessible by Reporter project members via GraphQL API
Update
After discussing, this is no longer a security issue. Changes were made so docs and both statistics permissions are consistent.
HackerOne report #1109795 by jimeno
on 2021-02-23, assigned to GitLab Team:
Report | Attachments | How To Reproduce
Report
Summary
GraphQL Project statistics attribute is accessible by Reporter project members while the official documentation specifies "View project statistics" is only accessible for Developer and above members.
Steps to reproduce
-
With userA (victim) create a new Public project.
-
Add a Wiki page, some random commits and a snippet to it so statistics aren't returned as 0.
-
Go to Members and invite your userB (attacker) user as Reporter max role.
-
With your attacker user, browse to the GitLab GraphQL explorer endpoint.
-
Run the following query replacing the project's path with yours:
query h1test { project(fullPath: "naaytesting2/foobarbazz") { id statistics { snippetsSize wikiSize commitCount lfsObjectsSize } } }
-
Notice project statistics are returned to the Reporter member.
{ "data": { "project": { "id": "gid://gitlab/Project/24629076", "statistics": { "snippetsSize": 136314, "wikiSize": 199229, "commitCount": 1, "lfsObjectsSize": 0 } } } }
Impact
Unprivileged user is able to access project statistics.
Examples
Attached project export. 2021-02-23_19-11-551_naaytesting2_foobarbazz_export.tar.gz
What is the current bug behavior?
GraphQL API doesn't honor permissions documentation and allows Reporter project members to see project statistics.
What is the expected correct behavior?
GraphQL API honors permissions documentation and requires at least Developer project membership to see project statistics.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
N/A
Impact
Unprivileged user is able to access project statistics.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
- gitlab_project_statistics_permissions.png
- gitlab_project_members.png
- 2021-02-23_19-11-551_naaytesting2_foobarbazz_export.tar.gz
- graphql_all_details.png
How To Reproduce
Please add reproducibility information to this section: