| Título | harness gitness 2.28.2 Authorization Bypass |
|---|
| Descrição | ListAllGitspaces Authorization Bypass
## Summary
The `GET /api/v1/gitspaces` endpoint fails to enforce space-level authorization when listing
a user's gitspace configurations. The `getAuthorizedSpaces()` function calls `CheckGitspace()`
for each space but always marks the space as authorized regardless of the check result, because
the missing `continue` in the "no access" branch causes `authorizedSpaceIDs[spaceID] = true` to
execute unconditionally. An authenticated user who has been removed from a space can still
retrieve their gitspace configurations (including access keys and SSH commands) from that space.
---
## Vulnerability Details
### Root Cause
`app/api/controller/gitspace/list_all.go`, lines 127–145:
```go
func (c *Controller) getAuthorizedSpaces(
ctx context.Context,
session *auth.Session,
spacesMap map[int64]string,
) (map[int64]bool, error) {
var authorizedSpaceIDs = make(map[int64]bool, 0)
for spaceID, spacePath := range spacesMap {
err := apiauth.CheckGitspace(
ctx, c.authorizer, session, spacePath, "", enum.PermissionGitspaceView,
)
if err != nil && !apiauth.IsNoAccess(err) { // line 138
return nil, fmt.Errorf("failed to check gitspace auth for space ID %d: %w", spaceID, err)
}
// BUG: no `continue` here -- falls through when err is ErrForbidden/ErrUnauthorized
authorizedSpaceIDs[spaceID] = true // line 142 -- executes unconditionally
}
return authorizedSpaceIDs, nil
}
```
`apiauth.IsNoAccess(err)` returns `true` when `err` is `ErrForbidden` or `ErrUnauthorized`
(`app/api/auth/auth.go:90`). When `CheckGitspace` denies access:
- `err != nil` → true
- `!apiauth.IsNoAccess(err)` → false (it IS a no-access error)
- Combined condition → false → does NOT return an error
- Execution falls through to `authorizedSpaceIDs[spaceID] = true`
The space is marked authorized in all cases -- authorization check has no effect.
|
|---|
| Fonte | ⚠️ https://github.com/harness/harness/issues/3689 |
|---|
| Utilizador | geochen (UID 78995) |
|---|
| Submissão | 07/06/2026 14h32 (há 1 mês) |
|---|
| Moderação | 08/07/2026 09h46 (1 month later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 376787 [Harness até 2.28.2 gitspaces Endpoint list_all.go getAuthorizedSpaces Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|