Mass assignment on Project update endpoint `POST /:namespace/:project` allows moving Project to different namespaces
HackerOne report #482677 by mishre
on 2019-01-19, assigned to asaba
:
Summary:
By adding a single parameter it is possible to update the project namespace, and basically make it appear as owned by any group / user on Gitlab.
Description:
We can change the namespace of any project and basically change the owner of the project in a manner so that it will appear as created by certain or a group. This is done by simply adding the parameter project[namespace_id] with the desired namespace to the request.
Steps To Reproduce:
- Go the Project's settings page (General tab).
- Type in a new description for the project and click Save Changes while intercepting the request.
- While in Burp add the &project%5Bnamespace_id%5D=1 to the end of the POST body. Note: If you are running this on Gitlab.com it will move your project under https://gitlab.com/sytses/.
- Your project is now placed in a new namespace.
Root cause
The list on https://gitlab.com/gitlab-org/gitlab-ee/blob/master/app/controllers/projects_controller.rb#L335 is too permissive allowing different parameters such as namespace_id, path and additional parameters that should not be update-able (I believe that updating the path parameter might have even worse consequences but this requires further digging).
Impact
Attackers will be able to create projects under any namespace on Gitlab. Potentially leading to using their billing plans, as well as impersonating other peoples action