Bypass Email Verification -- Able to Access Internal Gitlab Services that use Login with Gitlab and Perform Check on email domain
HackerOne report #565883 by ngalog
on 2019-05-04, assigned to hackerjuan
:
Summary
Hi, I found the new SCIM provisioning function allows any group owner in gitlab to create any user with verified email address. i.e. I can create user with email address ngalog@gitlab.com, and gitlab.com will think ngalog@gitlab.com is verified already.
This will bring problem to the client app that uses Gitlab as Identity Provider, and check if the user's email domain matches @gitlab.com
, then using this email verification bypass, we can access the service now.
I used to have a list of internal services/sites of gitlab uses gitlab.com to sign in and check if the signed in user has @gitlab.com as their email domain. But I can't find them any more, I am sure gitlab security team know what are those services. And exposure of those services would bring a high security impact to gitlab infrastructure.
Steps to reproduce
- In gitlab.com, upgrade your Group plan to gold
- Visit
https://gitlab.com/groups/GROUP_PATH/-/saml
and setup the SAML SSO as documented - Same page, create SCIM token
- Use the same SCIM token to issue the request below
POST /api/scim/v2/groups/YOUR_GROUP_NAME/Users HTTP/1.1
Host: gitlab.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/scim+json
Authorization: Bearer YOUR_SCIM_TOKEN
Content-Length: 291
{"externalId":"REPLACE_ME","active":null,"userName":"anyusernamewilldo","emails":[{"primary":true,"type":"work","value":"ANYGITLABEMAIL@gitlab.com"}],"name":{"formatted":"Test User","familyName":"User","givenName":"Test3"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"meta":{"resourceType":"User"}}
- And open a new private window and use https://gitlab.com/groups/GROUP_NAME/-/saml/sso?token=xqz82m-b to login using the externalId specified in the POST JSON body
- Now you are logged in as the newly created user and bypassed the email verification process
Impact
I used to have a list of internal services/sites of gitlab uses gitlab.com to sign in and check if the signed in user has @gitlab.com as their email domain. But I can't find them any more, I am sure gitlab security team know what are those services. And exposure of those services would bring a high security impact to gitlab infrastructure.
Examples
Check the user username4 on gitlab.com, you will see his email address is ngalog@gitlab.com and verified.
What is the current bug behavior?
Email is verified without going through the verification process
What is the expected correct behavior?
Email should not be verified using this method
Relevant logs and/or screenshots
This bug happens on GitLab.com
Results of GitLab environment info
This bug happens on GitLab.com)
Impact
see above
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
Issue on DEV: https://dev.gitlab.org/gitlab/gitlabhq/issues/2870