Github project import restriction bypass

HackerOne report #497975 by xanbanx on 2019-02-19, assigned to estrike:

A GitLab administrator can restrict the import sources and disable the Github import from the admin interface.

However, this restriction can be bypassed by any user by importing the Github project via the import API rather than using the web interface: https://docs.gitlab.com/ee/api/import.html#doc-nav

Steps To Reproduce:

Tested on a local installation of GitLab 11.8.0-pre (gitlab-ce@3dca5b307683e9f91941d6ddafaace6d856f8c7b)

1. As the administrator, go to http://example.gitlab.com/admin/application_settings and disable the Github import source as shown in the screenshot below
2. As a user named, e.g., user, perform the following API call:

curl --request POST --header "PRIVATE-TOKEN: <your-GL-Token> --data "personal_access_token=<GH-Token>&repo_id=1&target_namespace=user" https://example.gitlab.com/api/v4/import/github  

3. Instead of raising an error message, the API correctly imports the repository from GitHub

Impact

The user bypasses the restriction of import sources setup by the administrator

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_20190219_141841.png