Get list of members of any private groups from gitlab using merge request approval rules

HackerOne report #518995 by ashish_r_padelkar on 2019-03-30, assigned to jritchey:

Summary

Hello,

It is possible to get list of all the members from any private group for project maintainers/owners

Steps to reproduce

  1. As a project owner/maintainer, go to https://gitlab.com/<UserName>/<ProjectName>/edit#js-merge-request-approval-settings

  2. Now add any (your) group that you get in your dropdown of Approvers

  3. Capture the request like below.

POST /<UserName>/<ProjectName> HTTP/1.1  
Host: gitlab.com  
Connection: close  
Content-Length: 53  
Accept: application/json, text/plain, */*  
Origin: https://gitlab.com  
X-CSRF-Token: 1  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36  
Content-Type: application/x-www-form-urlencoded;charset=UTF-8  
Referer: 1  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: 1

_method=PATCH&project%5Bapprover_group_ids%5D=3752673

  1. As you can see, there is a approver_group_ids parameter there. Just change this to any private group ID that you dont own (sequential ID)

  2. Save the settings with below configs.
    Screenshot_2019-03-30_at_15.29.35.png

  3. Now create a merge request.

  4. Look at the merge request participants on right side. It will display all the members from the private group that you just added (plus your account)

Regards,
Ashish

What is the current bug behavior?

Possible to add any private/public group to the merge request approvals

What is the expected correct behavior?

Only eligible approvers should be allowed as mentioned here https://gitlab.com/help/user/project/merge_requests/merge_request_approvals

Relevant logs and/or screenshots

Shown in screenshots in reproductions steps

Output of checks

This bug happens on GitLab.com and might be on local installations too

Regards,
Ashish

Impact

Possible to find members of all the gitlab private groups

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

Edited by GitLab SecurityBot