Github project import restriction bypass
HackerOne report #497975 by xanbanx
on 2019-02-19, assigned to estrike
:
A GitLab administrator can restrict the import sources and disable the Github import from the admin interface.
However, this restriction can be bypassed by any user by importing the Github project via the import API rather than using the web interface: https://docs.gitlab.com/ee/api/import.html#doc-nav
Steps To Reproduce:
Tested on a local installation of GitLab 11.8.0-pre (gitlab-ce@3dca5b307683e9f91941d6ddafaace6d856f8c7b)
- As the administrator, go to
http://example.gitlab.com/admin/application_settings
and disable the Github import source as shown in the screenshot below - As a user named, e.g.,
user
, perform the following API call:
curl --request POST --header "PRIVATE-TOKEN: <your-GL-Token> --data "personal_access_token=<GH-Token>&repo_id=1&target_namespace=user" https://example.gitlab.com/api/v4/import/github
- Instead of raising an error message, the API correctly imports the repository from GitHub
Impact
The user bypasses the restriction of import sources setup by the administrator
Attachments
Warning: Attachments received through HackerOne, please exercise caution!