Gitlab.com Group Deletion Through Slug Collision - v2: Display Name / Slug Confusion
HackerOne report #960000 by jcahill on 2020-08-16, assigned to @kaunghtet:
Report
> NOTE! Thanks for submitting a report! Please replace all the (parenthesized) sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!
Summary
This bug is a data security issue affecting groups on gitlab.com. Other GitLab instances have not been tested by the researcher, but may also be affected. The effect of the bug is the improper deletion of incorrect groups, along with all their sub-groups and projects.
Steps to reproduce
To reproduce:
- Create /group-a
- Create /group-b
- Navigate to /groups/group-b/-/edit
- Change Group name with "group-a" as input.
- Change group URL with "group-a" as input.
- This appears to fail.
- The page now refreshes, staying on /groups/group-b/-/edit.
- Remove group.
- We are asked to confirm that we wish to remove group-b.
- However, it is in fact /group-a which is removed.
Impact
This scenario improperly deletes a group. A user with sufficient permissions to delete both groups has no ability to prevent this bug or predict when it will arise.
Examples
This example video demonstrates the improper deletion of a group following the steps outlined above:
(If the bug is project related, please create an example project and export it using the project export feature)
The bug relates to groups, not to projects.
(If you are using an older version of GitLab, this will also help determine whether the bug has been fixed in a more recent version)
The bug relates to gitlab.com.
(If the bug can be reproduced on GitLab.com without violating the Rules of Engagement as outlined in the program policy, please provide the full path to the project.)
The bug has been worked by the user account https://gitlab.com/2020-08-16-group-collision-bug
What is the current bug behavior?
See above.
(What actually happens, include relevant screenshots, API results, or complete HTTP requests)
See above.
What is the expected correct behavior?
See above.
(What you should see instead, include relevant screenshots, API results, or complete HTTP requests)
See above.
Relevant logs and/or screenshots
See above.
Output of checks
See above.
(If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com)
This bug happens on GitLab.com
Results of GitLab environment info
This bug happens on GitLab.com
Impact
An attacker or legitimate owner of gitlab groups could delete large swathes of data improperly.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!