Create fork relation from public project which are not allowed to- API
HackerOne report #419977 by ashish_r_padelkar on 2018-10-06:
Summary: Hello,
If a public project has following settings, gitlab users with no membership to the project are not allowed to create fork of the projects.
However, using below API endpoint, any body can create fork relationship from such projects
https://docs.gitlab.com/ee/api/projects.html#create-a-forked-fromto-relation-between-existing-projects
POST /projects/:id/fork/:forked_from_id
Description: When projects has above settings , the users are not allowed to fork from such projects.
You can see my own public project here
[REDACTED]
You will not see button to fork. But if you have any other projects then you can create a fork relationship to that project from this project!!
Steps To Reproduce:
- Just run the following curl command
curl --request POST --header "PRIVATE-TOKEN: [REDACTED]" https://gitlab.com/api/v4/projects/<YourProjectID>/fork/<PublicProjectIDwithAboveSettings>
- This will show a fork relationship in your project of public project which should not be possible otherwise
Regards, Ashish
Impact
- This is not intended, so it can create inconsistencies across gitlab
- When creating fork relationship using above curl, response shows number of forks the public project has which isn't visible in UI
- It shows default
Branch
of the public project which isn't visible in UI if you have above mentioned settings
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
- [REDACTED]