Blocked user bypass with Mattermost slash command integration
HackerOne report #493562 by j-jam on 2019-02-10, assigned to estrike:
Summary
When GitLab is integrated with Mattermost slash commands and using GitLab SSO, the application correctly handles changes in repository membership, e.g. removal from private repo means you can no longer run any slash commands such as viewing or moving issues.
Within GitLab, when a user account is blocked, that particular user can instantly no longer use any API tokens or the web gui to access any repo content. However, it appears a blocked user can still execute Mattermost slash commands on any repos they had access to as long as the Mattermost session is still active (30 days I believe)
PoC setup
Local GitLab install, latest version
Ubuntu 18.04 LTS x64
Testuser1 - victim user
Testuser2 - attacker
Private project setup called testuser1-secret with user testuser2 added as developer.
PoC
-As the root user, enable the Mattermost service using the below instructions:
https://docs.gitlab.com/omnibus/gitlab-mattermost/
-As testuser1, add testuser2 as a developer on the testuser1-secret project
-As testuser1, enable Mattermost slash commands for the testuser1-secret project
-Login to Mattermost as testuser1, create a team with testuser2 as a member and integrate the team with the testuser1-secret project using the below instructions:
https://docs.gitlab.com/ee/user/project/integrations/mattermost_slash_commands.html
-Within a new browser session, log into Mattermost as testuser2 using the GitLab SSO option and execute a slash command on the testuser1-secret project. In this case, the command keyword is helloworld. The command ran is to view a confidential issue
Note. You will be prompted by GitLab at some point to add Mattermost as a chat client
/helloworld issue show 11 
-Login as the root user, block testuser2 from GitLab. This will prevent API and web GUI access to GitLab
-Within the Mattermost session earlier as testuser2, attempt to execute more slash commands on the same project. You will see that the commands still work
/helloworld issue show 12 
Note. The above issue was added after testuser2 was blocked from GitLab
Impact
This appears to be a bypass of the intended user block functionality within GitLab. A blocked user has no ability to use the API/Web GUI but Mattermost slash commands still provide access to issues and deployment commands. This is dependent on the blocker user's repo access and permission level to begin with though.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
- image4-blockeduser.PNG
- image3-showissue.PNG
- image6-issueaccess.PNG
- image5-blockeduser.PNG
- image1-testuser2access.PNG
- image2-slashcommands.PNG