Submeter #851013: harness gitness 2.28.2 Authorization Bypassinformação

Títuloharness gitness 2.28.2 Authorization Bypass
DescriçãoListAllGitspaces Authorization Bypass ## Summary The `GET /api/v1/gitspaces` endpoint fails to enforce space-level authorization when listing a user's gitspace configurations. The `getAuthorizedSpaces()` function calls `CheckGitspace()` for each space but always marks the space as authorized regardless of the check result, because the missing `continue` in the "no access" branch causes `authorizedSpaceIDs[spaceID] = true` to execute unconditionally. An authenticated user who has been removed from a space can still retrieve their gitspace configurations (including access keys and SSH commands) from that space. --- ## Vulnerability Details ### Root Cause `app/api/controller/gitspace/list_all.go`, lines 127–145: ```go func (c *Controller) getAuthorizedSpaces( ctx context.Context, session *auth.Session, spacesMap map[int64]string, ) (map[int64]bool, error) { var authorizedSpaceIDs = make(map[int64]bool, 0) for spaceID, spacePath := range spacesMap { err := apiauth.CheckGitspace( ctx, c.authorizer, session, spacePath, "", enum.PermissionGitspaceView, ) if err != nil && !apiauth.IsNoAccess(err) { // line 138 return nil, fmt.Errorf("failed to check gitspace auth for space ID %d: %w", spaceID, err) } // BUG: no `continue` here -- falls through when err is ErrForbidden/ErrUnauthorized authorizedSpaceIDs[spaceID] = true // line 142 -- executes unconditionally } return authorizedSpaceIDs, nil } ``` `apiauth.IsNoAccess(err)` returns `true` when `err` is `ErrForbidden` or `ErrUnauthorized` (`app/api/auth/auth.go:90`). When `CheckGitspace` denies access: - `err != nil` → true - `!apiauth.IsNoAccess(err)` → false (it IS a no-access error) - Combined condition → false → does NOT return an error - Execution falls through to `authorizedSpaceIDs[spaceID] = true` The space is marked authorized in all cases -- authorization check has no effect.
Fonte⚠️ https://github.com/harness/harness/issues/3689
Utilizador
 geochen (UID 78995)
Submissão07/06/2026 14h32 (há 1 mês)
Moderação08/07/2026 09h46 (1 month later)
EstadoAceite
Entrada VulDB376787 [Harness até 2.28.2 gitspaces Endpoint list_all.go getAuthorizedSpaces Elevação de Privilégios]
Pontos20

Want to know what is going to be exploited?

We predict KEV entries!