bypass MR approval count by exploiting Race condition in merge request approval

HackerOne report #470309 by flashdisk on 2018-12-20, assigned to asaba:

Hi,

Description:

I found a race condition issue when a user approves a merge request he can set a number of developers to approve the merge request in order to merge it, but this can be bypassed by firing the following HTTP request using multiple threads in parallel

POST /[user_name]/{project}/merge_requests/3/approvals HTTP/1.1
Host: gitlab.com
Connection: close

as an example at one of my projects I was able to approve the project twice as you see here:

Fix

add a lock on this endpoint when a user can approve a merge request.

thanks!

Impact

Race condition in merge request approval

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• racecond1.PNG