User can get access to a Private Project again even after being removed from the Project
HackerOne report #492621 by rgupt
on 2019-02-07, assigned to dappelt
:
Summary:
When a user invites a new member via email and the invitation is still pending to be accepted and the invited person gets removed from the project, then the pending invitation is not automatically removed and is still active. As a result, a bad actor can send invitations to himself (i.e. his alias email) and can join the project again, even after being removed.
Steps To Reproduce:
- Assume there is a private project Project1 and the owner of the project is User1.
- User1 invites a new member User2 (user2@gmail.com) and gives him maintainer permission.
- User2 navigates to Project1 Settings & sends out an invitation to a new email account which has not been registered in Gitlab yet.
- Assume User2 sent out an invitation to user2+email1@gmail.com
Note in this case anything, the email is still sent to user2@gmail.com as anything after + sign is ignored by gmail. - Now when User1 removes User2 from the Project, the pending email invitation sent by User2 is still not removed automatically and is active.
- Now when the User2 clicks on the Accept Invitation link in the email sent, the link is still not expired/removed and user can click & confirm to accept the invitation.
Note: Another flaw which I found was that even though the invitation was sent to user2+email1@gmail.com, the invitation can still be accepted by User2's account who has an email user2@gmail.com.
Hence with the above mentioned flaws, a user can get access to the private project, even after being removed from the Project.
Comparison of this behavior with Github:
I did the same steps mentioned above in the Github platform, and the Github platform handles this really well. Whenever a user is removed from the Organization (or) a Private Project, all the pending invitations sent by that user is also automatically removed. However in case of Gitlab, it is not removed.
Impact
If a user gets a maintainer permission to a private project, the user can still get access to the private project again, even when that user was being removed from the project.