Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #24648
Closed
Open
Issue created Oct 11, 2018 by GitLab SecurityBot@gitlab-securitybotReporter

Create fork relation from public project which are not allowed to- API

HackerOne report #419977 by ashish_r_padelkar on 2018-10-06:

Summary: Hello,

If a public project has following settings, gitlab users with no membership to the project are not allowed to create fork of the projects.

Screen_Shot_2018-10-06_at_15.13.51.png

However, using below API endpoint, any body can create fork relationship from such projects https://docs.gitlab.com/ee/api/projects.html#create-a-forked-fromto-relation-between-existing-projects

POST /projects/:id/fork/:forked_from_id

Description: When projects has above settings , the users are not allowed to fork from such projects.

You can see my own public project here

[REDACTED]

You will not see button to fork. But if you have any other projects then you can create a fork relationship to that project from this project!!

Steps To Reproduce:

  1. Just run the following curl command
curl --request POST --header "PRIVATE-TOKEN: [REDACTED]" https://gitlab.com/api/v4/projects/<YourProjectID>/fork/<PublicProjectIDwithAboveSettings>
  1. This will show a fork relationship in your project of public project which should not be possible otherwise

Regards, Ashish

Impact

  1. This is not intended, so it can create inconsistencies across gitlab
  2. When creating fork relationship using above curl, response shows number of forks the public project has which isn't visible in UI
  3. It shows default Branch of the public project which isn't visible in UI if you have above mentioned settings

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • [REDACTED]
Edited Jul 06, 2022 by Costel Maxim
Assignee
Assign to
Time tracking