bypass MR approval count by exploiting Race condition in merge request approval
HackerOne report #470309 by flashdisk
on 2018-12-20, assigned to asaba
:
Hi,
Description:
I found a race condition issue when a user approves a merge request he can set a number of developers to approve the merge request in order to merge it, but this can be bypassed by firing the following HTTP request using multiple threads in parallel
POST /[user_name]/{project}/merge_requests/3/approvals HTTP/1.1
Host: gitlab.com
Connection: close
as an example at one of my projects I was able to approve the project twice as you see here:
Fix
add a lock on this endpoint when a user can approve a merge request.
thanks!
Impact
Race condition in merge request approval
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
Edited by Alexander Dietrich