Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #26801
Closed
Open
Issue created Feb 18, 2019 by GitLab SecurityBot@gitlab-securitybotReporter

User can get access to a Private Project again even after being removed from the Project

HackerOne report #492621 by rgupt on 2019-02-07, assigned to dappelt:

Summary:
When a user invites a new member via email and the invitation is still pending to be accepted and the invited person gets removed from the project, then the pending invitation is not automatically removed and is still active. As a result, a bad actor can send invitations to himself (i.e. his alias email) and can join the project again, even after being removed.

Steps To Reproduce:

  1. Assume there is a private project Project1 and the owner of the project is User1.
  2. User1 invites a new member User2 (user2@gmail.com) and gives him maintainer permission.
  3. User2 navigates to Project1 Settings & sends out an invitation to a new email account which has not been registered in Gitlab yet.
  4. Assume User2 sent out an invitation to user2+email1@gmail.com
    Note in this case anything, the email is still sent to user2@gmail.com as anything after + sign is ignored by gmail.
  5. Now when User1 removes User2 from the Project, the pending email invitation sent by User2 is still not removed automatically and is active.
  6. Now when the User2 clicks on the Accept Invitation link in the email sent, the link is still not expired/removed and user can click & confirm to accept the invitation.

Note: Another flaw which I found was that even though the invitation was sent to user2+email1@gmail.com, the invitation can still be accepted by User2's account who has an email user2@gmail.com.

Hence with the above mentioned flaws, a user can get access to the private project, even after being removed from the Project.

Comparison of this behavior with Github:

I did the same steps mentioned above in the Github platform, and the Github platform handles this really well. Whenever a user is removed from the Organization (or) a Private Project, all the pending invitations sent by that user is also automatically removed. However in case of Gitlab, it is not removed.

Impact

If a user gets a maintainer permission to a private project, the user can still get access to the private project again, even when that user was being removed from the project.

Assignee
Assign to
Time tracking