Skip to content

Group Maintainers can Create/Delete Deploy tokens using API

HackerOne report #828154 by ashish_r_padelkar on 2020-03-24, assigned to @dcouture:

Summary

Hello,

New API release in 12.9 of Deploy tokens,A group maintainer is able to create/delete group deploy tokens which i think is not intended. These create/delete functionality is only available to group owners in group settings in UI.

https://docs.gitlab.com/ee/api/deploy_tokens.html#create-a-group-deploy-token

Steps to reproduce

  1. As a group maintainer, just run the below API

curl --request POST --header "PRIVATE-TOKEN: <Token>" --header "Content-Type: application/json" --data '{"name": "My deploy token", "expires_at": "2098-02-02", "username": "custom-user", "scopes": ["read_repository"]}' "https://gitlab.com/api/v4/groups/<ID>/deploy_tokens/"

  1. This will create a group level deploy token.

  2. You can also delete the tokens created by group admin using below API

curl --request DELETE --header "PRIVATE-TOKEN: <Token>" "https://gitlab.com/api/v4/groups/<ID>/deploy_tokens/<ID>"

What is the current bug behavior?

Group Maintainers are able to create/delete group deploy tokens

What is the expected correct behavior?

Group Maintainers shouldnt be allowed to create /delete deploy tokens

Output of checks

This bug happens on GitLab.com and probably on omnibus installations too!

Regards,
Ashish

Impact

Group Maintainers are able to create/delete deploy tokens