Gitlab.com Group Deletion Through Slug Collision - v2: Display Name / Slug Confusion

HackerOne report #960000 by jcahill on 2020-08-16, assigned to @kaunghtet:

Report | Attachments

Report

> NOTE! Thanks for submitting a report! Please replace all the (parenthesized) sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!

Summary

This bug is a data security issue affecting groups on gitlab.com. Other GitLab instances have not been tested by the researcher, but may also be affected. The effect of the bug is the improper deletion of incorrect groups, along with all their sub-groups and projects.

Steps to reproduce

To reproduce:

  1. Create /group-a
  2. Create /group-b
  3. Navigate to /groups/group-b/-/edit
  4. Change Group name with "group-a" as input.
  5. Change group URL with "group-a" as input.
    • This appears to fail.
    • The page now refreshes, staying on /groups/group-b/-/edit.
  6. Remove group.
    • We are asked to confirm that we wish to remove group-b.
    • However, it is in fact /group-a which is removed.
Impact

This scenario improperly deletes a group. A user with sufficient permissions to delete both groups has no ability to prevent this bug or predict when it will arise.

Examples

This example video demonstrates the improper deletion of a group following the steps outlined above:

https://2020-08-16-gitlab.metamerlabs.io/2020-08-16_gitlab.com_group-deletion-collision-bug_v2_display-name-slug-confusion.mp4

(If the bug is project related, please create an example project and export it using the project export feature)

The bug relates to groups, not to projects.

(If you are using an older version of GitLab, this will also help determine whether the bug has been fixed in a more recent version)

The bug relates to gitlab.com.

(If the bug can be reproduced on GitLab.com without violating the Rules of Engagement as outlined in the program policy, please provide the full path to the project.)

The bug has been worked by the user account https://gitlab.com/2020-08-16-group-collision-bug

What is the current bug behavior?

See above.

(What actually happens, include relevant screenshots, API results, or complete HTTP requests)

See above.

What is the expected correct behavior?

See above.

(What you should see instead, include relevant screenshots, API results, or complete HTTP requests)

See above.

Relevant logs and/or screenshots

See above.

Output of checks

See above.

(If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com)

This bug happens on GitLab.com

Results of GitLab environment info

This bug happens on GitLab.com

Impact

An attacker or legitimate owner of gitlab groups could delete large swathes of data improperly.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

Edited by Andrew Kelly