Skip to content
GitLab Next
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • GitLab FOSS GitLab FOSS
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 0
    • Issues 0
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 0
    • Merge requests 0
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.org
  • GitLab FOSSGitLab FOSS
  • Issues
  • #26243
Closed
Open
Created Jan 01, 2017 by Brian Neel@briannContributor

HackerOne reported issue: Every user can delete public deploy keys

Jobert from HackerOne reported the following issue: https://hackerone.com/reports/195088

Vulnerability details

A GitLab instance can have public deploy keys that project admins can use for their project. An attacker can delete these public keys used by other users to deploy code.

Impact

Deleting these shared deploy keys may stop users to deploy their code.

Proof of concept

Make sure the GitLab instance has a public deploy key. Lets assume it has ID 1. Now sign in as a normal user and follow the steps below.

  1. Create a new project called test
  2. Go to http://gitlab-instance/user/test/deploy_keys
  3. Go to the Public deploy keys available to any project section and click the Enable button for the public deploy key
  4. Create an access token for the API for your own account
  5. Request /api/v3/projects, get the ID number for the project test
  6. Request /api/v3/projects/:project_id/deploy_keys, you'll see the public deploy key
  7. Send a DELETE request to `/api/v3/projects/:project_id/deploy_keys/:id - this will delete the public (shared) deploy key, not the relationship between the project and the key. Below is a copy of the request and response.

Request

curl -X DELETE -H "Private-Token: AAAA" http://gitlab-instance/api/v3/projects/1/deploy_keys/1

Response

{"id":1,"user_id":null,"created_at":"<removed>","updated_at":"<removed>","key":"<key>","title":"<title>","fingerprint":"72:bb:e9:cc:04:dc:64:b9:a3:e7:c2:26:8f:f2:ed:df","public":true}

The root cause of this problem lies in the following lines of code:

lib/api/deploy_keys.rb

delete ":id/#{path}/:key_id" do
  key = user_project.deploy_keys.find(params[:key_id])
  key.destroy
end

The destroy method will be called on the shared deploy key instead of on the relationship.

Remediation advice

Instead of removing the entire object, remove the relationship instead when it's a public deploy key.

Assignee
Assign to
Time tracking