Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #26017
Closed
Open
Issue created Jan 07, 2019 by GitLab SecurityBot@gitlab-securitybotReporter

CSRF in System hooks execution through API

HackerOne report #471274 by mishre on 2018-12-22:

Summary: Gitlab allows admins (of the whole deployment) to configure system hooks, which will be executed upon certain actions (across all projects). However, it seems that there exists an endpoint which sends a test web hook when being browsed by an admin.

Description: When the admin is logged and an attacker lures him to browse https://gitlab-instance/api/v4/hooks/{hook-id} the hook is executed with test parameters possibly causing undesired actions to be performed (sending requests which the admin didn't want to send). An attacker can cause a silent execution of the web hook, by luring the admin to browse his own site (while including an image on that site poiting to the mentioned endpoint) or by luring the admin on clicking a link.

Steps To Reproduce:

  1. Login to Gitlab as the instance admin.
  2. Browse to https://gitlab-instance/admin/hooks
  3. Create a hook pointing to a server under your control.
  4. Now browse to https://gitlab-instance/api/v4/hooks/1 (substitute 1 with the created hook's id)
  5. To verify this actually executed the hook - check your hook server logs, you should see a request with the following header: X-Gitlab-Event

Impact

An attacker can cause system hooks to be executed undesirably.

Security Team Recommendation

Change the HTTP method to POST to be consistent with the solution in https://gitlab.com/gitlab-org/gitlab-ce/issues/42604.

Edited Jan 07, 2019 by Ethan Strike
Assignee
Assign to
Time tracking