| 标题 | harness gitness 2.28.2 Authorization Bypass |
|---|
| 描述 | ListAllGitspaces Authorization Bypass
## Summary
The `GET /api/v1/gitspaces` endpoint fails to enforce space-level authorization when listing
a user's gitspace configurations. The `getAuthorizedSpaces()` function calls `CheckGitspace()`
for each space but always marks the space as authorized regardless of the check result, because
the missing `continue` in the "no access" branch causes `authorizedSpaceIDs[spaceID] = true` to
execute unconditionally. An authenticated user who has been removed from a space can still
retrieve their gitspace configurations (including access keys and SSH commands) from that space.
---
## Vulnerability Details
### Root Cause
`app/api/controller/gitspace/list_all.go`, lines 127–145:
```go
func (c *Controller) getAuthorizedSpaces(
ctx context.Context,
session *auth.Session,
spacesMap map[int64]string,
) (map[int64]bool, error) {
var authorizedSpaceIDs = make(map[int64]bool, 0)
for spaceID, spacePath := range spacesMap {
err := apiauth.CheckGitspace(
ctx, c.authorizer, session, spacePath, "", enum.PermissionGitspaceView,
)
if err != nil && !apiauth.IsNoAccess(err) { // line 138
return nil, fmt.Errorf("failed to check gitspace auth for space ID %d: %w", spaceID, err)
}
// BUG: no `continue` here -- falls through when err is ErrForbidden/ErrUnauthorized
authorizedSpaceIDs[spaceID] = true // line 142 -- executes unconditionally
}
return authorizedSpaceIDs, nil
}
```
`apiauth.IsNoAccess(err)` returns `true` when `err` is `ErrForbidden` or `ErrUnauthorized`
(`app/api/auth/auth.go:90`). When `CheckGitspace` denies access:
- `err != nil` → true
- `!apiauth.IsNoAccess(err)` → false (it IS a no-access error)
- Combined condition → false → does NOT return an error
- Execution falls through to `authorizedSpaceIDs[spaceID] = true`
The space is marked authorized in all cases -- authorization check has no effect.
|
|---|
| 来源 | ⚠️ https://github.com/harness/harness/issues/3689 |
|---|
| 用户 | geochen (UID 78995) |
|---|
| 提交 | 2026-06-07 14時32分 (1 月前) |
|---|
| 管理 | 2026-07-08 09時46分 (1 month later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 376787 [Harness 直到 2.28.2 gitspaces Endpoint list_all.go getAuthorizedSpaces 权限提升] |
|---|
| 积分 | 20 |
|---|