Reject manually pushing a merge commit when merge request approval requirements are not met
Problem to solve
A user with push permissions can push a merge commit, closing the open merge request, and potentially bypassing merge requirements.
This is not a security issue because the user has push permissions, and can already push whatever they want.
Further details
When configuring merge request approval requirements, push permissions should be restricted typically, to prevent the merge request controls being bypassed.
Original HackerOne report
HackerOne report #683906 by hd7exploit on 2019-08-28, assigned to jmatos_bgtvf:
Summary
Improper Access Control on Merge Request, lead to a User can merge his code into a branch without Merge Request setting.
Steps to reproduce
2 users created as below:
-Coda1 as Developer
-Coda3 as Owner
- Coda1 create a branch Master2.
- Coda3 create a branch Master1.
- Coda1 create a Merge Request from Master2 to Master1 and assign Coda3 for approval.
- Coda1, On user interface of Merge Request, Coda1 can not merge Merge Request because of setting as image 2.setting.png
- Coda1 can bypass the setting via merging Master2 into Master1 on locally, then push Master1 to Gitlab as image 1.Result.png
Impact
User can merge MR without Merge Request setting.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
Proposal
If there is an open merge request, and a merge commit it pushed for that merge request, it should be rejected unless all approval requirements have been met.