User Can Unlock File or Folder of Project That He Lock Even if The User Currently Dont Have Push Access To Project
HackerOne report #686801 by rafiem on 2019-09-03, assigned to jmatos_bgtvf:
Hi Team,
I have found improper access control in locking and unlocking files or folders in project. In this case, user that previously locked a file or folder in project can unlock them even if the user dont have permission to lock or unlock files and folders in the projects. In projects, user at least need to have access level of "Developer" to lock and unlock files. In public projects, even non project member can unlock the files or folder that he/she previously locked, meanwhile in private projects, the user needs to be atleast "Reporter" to unlock the file or folder he/she locked as "Developer" or higher. Sure, there is a Maintainer role that can lock and unlock any files and folder, but in this case, user that dont have push access to the project should not be make action on unlock file or folder, even if the file or folders is previously locked by them.
Proof of Concept
1.) User A have public project and private project
2.) User A invite User B as "Developer" to both of the project
3.) User B lock a file in User A private and public project
4.) User A then make User B as non-member in public project and down the access level of User B to "Reporter" in private project
5.) Notice that User B cannot unlocked the file when viewing the content of the file : https://gitlab.com/<User A>/<project name>/blob/<branch name>/<name of locked file> , it will give error response.
5.) But, User B can still unlock the file that he/she previously locked in : https://gitlab.com/<User A>/<project name>/path_locks
<>PoC video attached
Impact
Unauthorized User (that dont have push access) to the project can still unlock the file or folder that he/she previously locked
Best Regards,
@rafiem
Attachments
Warning: Attachments received through HackerOne, please exercise caution!