CSRF to connect GCP Kubernetes to another user's account due to missing state parameter validation
HackerOne report #463928 by cache-money
on 2018-12-17:
Summary: There's a CSRF to connect your Google account to another user's for the Kubernetes integration, due to the lack of state parameter validation. Since you can't actually go through and deploy the code to your integration, the vector would be to leave it there and have the victim accidentally deploy their code to your cluster. This isn't so improbable since the Google account hooks up to the user's account, not the project. That means if the user already has an existing connection, I can overwrite what they have set up. That means any new projects they wish to use Kubernetes for will default to my cluster.
Steps To Reproduce:
- Login and visit
https://gitlab.com/[GROUP]/[PROJECT]/clusters
and click to "Sign in with Google". - Select an account but intercept and drop the GET request to
https://gitlab.com/-/google_api/auth/callback?...
. - Copy that link and send it to another user who's logged in.
- As that user, go into any project and click to add a Kubernetes cluster. Notice the attackers account has already been connected and you're ready to go.
Impact
This might require some luck to pull off since the user would have to go to create another cluster, but the end result is that you can end up getting a bunch of someone elses code deployed onto your server.
Impact
.