HackerOne reported issue: Every user can delete public deploy keys
Jobert from HackerOne reported the following issue: https://hackerone.com/reports/195088
Vulnerability details
A GitLab instance can have public deploy keys that project admins can use for their project. An attacker can delete these public keys used by other users to deploy code.
Impact
Deleting these shared deploy keys may stop users to deploy their code.
Proof of concept
Make sure the GitLab instance has a public deploy key. Lets assume it has ID 1. Now sign in as a normal user and follow the steps below.
- Create a new project called test
- Go to http://gitlab-instance/user/test/deploy_keys
- Go to the Public deploy keys available to any project section and click the Enable button for the public deploy key
- Create an access token for the API for your own account
- Request /api/v3/projects, get the ID number for the project test
- Request /api/v3/projects/:project_id/deploy_keys, you'll see the public deploy key
- Send a DELETE request to `/api/v3/projects/:project_id/deploy_keys/:id - this will delete the public (shared) deploy key, not the relationship between the project and the key. Below is a copy of the request and response.
Request
curl -X DELETE -H "Private-Token: AAAA" http://gitlab-instance/api/v3/projects/1/deploy_keys/1
Response
{"id":1,"user_id":null,"created_at":"<removed>","updated_at":"<removed>","key":"<key>","title":"<title>","fingerprint":"72:bb:e9:cc:04:dc:64:b9:a3:e7:c2:26:8f:f2:ed:df","public":true}
The root cause of this problem lies in the following lines of code:
lib/api/deploy_keys.rb
delete ":id/#{path}/:key_id" do
key = user_project.deploy_keys.find(params[:key_id])
key.destroy
end
The destroy
method will be called on the shared deploy key instead of on the relationship.
Remediation advice
Instead of removing the entire object, remove the relationship instead when it's a public deploy key.