| Titel | harness gitness 2.28.2 Authorization Bypass |
|---|
| Beschreibung | ListAllGitspaces Authorization Bypass
## Summary
The `GET /api/v1/gitspaces` endpoint fails to enforce space-level authorization when listing
a user's gitspace configurations. The `getAuthorizedSpaces()` function calls `CheckGitspace()`
for each space but always marks the space as authorized regardless of the check result, because
the missing `continue` in the "no access" branch causes `authorizedSpaceIDs[spaceID] = true` to
execute unconditionally. An authenticated user who has been removed from a space can still
retrieve their gitspace configurations (including access keys and SSH commands) from that space.
---
## Vulnerability Details
### Root Cause
`app/api/controller/gitspace/list_all.go`, lines 127–145:
```go
func (c *Controller) getAuthorizedSpaces(
ctx context.Context,
session *auth.Session,
spacesMap map[int64]string,
) (map[int64]bool, error) {
var authorizedSpaceIDs = make(map[int64]bool, 0)
for spaceID, spacePath := range spacesMap {
err := apiauth.CheckGitspace(
ctx, c.authorizer, session, spacePath, "", enum.PermissionGitspaceView,
)
if err != nil && !apiauth.IsNoAccess(err) { // line 138
return nil, fmt.Errorf("failed to check gitspace auth for space ID %d: %w", spaceID, err)
}
// BUG: no `continue` here -- falls through when err is ErrForbidden/ErrUnauthorized
authorizedSpaceIDs[spaceID] = true // line 142 -- executes unconditionally
}
return authorizedSpaceIDs, nil
}
```
`apiauth.IsNoAccess(err)` returns `true` when `err` is `ErrForbidden` or `ErrUnauthorized`
(`app/api/auth/auth.go:90`). When `CheckGitspace` denies access:
- `err != nil` → true
- `!apiauth.IsNoAccess(err)` → false (it IS a no-access error)
- Combined condition → false → does NOT return an error
- Execution falls through to `authorizedSpaceIDs[spaceID] = true`
The space is marked authorized in all cases -- authorization check has no effect.
|
|---|
| Quelle | ⚠️ https://github.com/harness/harness/issues/3689 |
|---|
| Benutzer | geochen (UID 78995) |
|---|
| Einreichung | 07.06.2026 14:32 (vor 1 Monat) |
|---|
| Moderieren | 08.07.2026 09:46 (1 month later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 376787 [Harness bis 2.28.2 gitspaces Endpoint list_all.go getAuthorizedSpaces erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|