Maintainers/Owners can still impersonate each other as trigger token doesnt change
HackerOne report #495282 by ashish_r_padelkar
on 2019-02-13, assigned to asaba
:
Hello,
I have commented on #449372 but i did not get any reply there so i am creating a new report here
As i have mentioned there ,
Once other user takes ownership, The original user can continue to use below API to create jobs in the name of new owner as original user knows the previous token
curl --request POST --form token=<TokenObtainedofOwnerFromApi> --form ref=master https://gitlab.com/api/v4/projects/<ID>/trigger/pipeline
Steps
- Maintainer creates a trigger token at
/settings/ci_cd#js-pipeline-triggers
- Owner takes the ownership
- Maintainer can now still impersonate owners using above API as they know the token which did not change
Suggested Fix
As a fix, I think trigger token should change a bit. May be adding a something unique when other user takes the ownership? This will not allow the original owner to use the token again?
Regards,
Ashish
Impact
Maintainers/Owners can still impersonate each other as trigger token doesnt change
Edited by Alexander Dietrich