GitHub import allows user to create child group under existing namespace
An improper access control weakness was detailed by Jobert via HackerOne. The details are as follows:
When importing a GitHub repository on GitLab, a request is made to
/import/github. The user is allowed to pass along a target namespace where they want to add the repository. In this process, the code will create the namespace if it doesn't exist already. However, this can be used to create a sub-group of an existing group and give you "owner" level access to the sub-group. This has a couple benefits, including being able to use the plan of the owner group, see who is part of the group (helpful in case the group is private), and, perhaps most importantly, being able to create new projects under a group you're unauthorized to.
To reproduce, make sure there's a GitLab instance that has a group a user is unauthorized to create projects / groups for. Then, sign in to the normal user account and authorize GitLab to view your GitHub projects. Intercept your network traffic, then click the "Import" button. Observe a request similar to the one below being submitted:
POST /import/github HTTP/1.1 Host: gitlab-instance ... repo_id=115670444&target_namespace=jobertabma&new_name=test
In this request, change the
secret-group/test. This will create a sub-group called
test to the group
secret-group. I perhaps was a little too excited and did this on gitlab.com and created a group called
test to the
gitlab-org namespace. Sorry about that. Feel free to remove the group. I can also do it myself, although, since it's private, I wanted to keep it around as a matter of proof of concept. To exploit this, an attacker could set a GitLab logo as their group avatar and start spreading gitlab-ce and gitlab-ee projects under the gitlab-org namespace.
The sub-group as shown on the gitlab-org group page
Automatic billing due to the relationship with gitlab-org
This has been tested against the latest version of GitLab.
Attacker can create projects under other accounts that they shouldn't have access to.