MRs author can bypass merge requests approval rules and trick maintainers into accepting the MR
HackerOne report #953994 by vaib25vicky on 2020-08-08, assigned to @ngeorge1:
Hi,
In project settings merge requests approval rules is defined as
There is a bug in UI which displays merge request approved when MR author change the approver to himself. This doesn't happen if any user other than author is added as approver
The correct message should be like Requires approval from <name> which is displayed to other approvers but when author is the approver this is not happening.
Steps to reproduce
(Step-by-step guide to reproduce the issue, including:)
- Create a test public project having settings
- Login as other user who is not a member of the project
- Creates a MR and in the approval rules edit the
test
- Delete the current approver and add a public group where you are the member
- You'll see that
merge request approvedis displayed even though no one approve the MR
Impact
If maintainer has set that MR should be approve by security team before accepting then this bug can trick maintainers into accepting an unapproved MR in the project.
What is the current bug behavior?
The bug is displaying merge request is approved even when no one approve the MR
What is the expected correct behavior?
The correct behaviour should be Requires approval from <name> even when author make himself the approver
Output of checks
This bug happens on GitLab.com
Impact
MRs author can bypass merge requests approval rules and trick maintainers into accepting unapproved MR
Attachments
Warning: Attachments received through HackerOne, please exercise caution! [REDACTED]