Unauthorized user is able to unlock the locked file of the project
HackerOne report #1023504 by vaib25vicky on 2020-10-31, assigned to @ankelly:
Report
Summary
Permission model around file locking is as follows:
> Locks can be created by any person who has at least Developer permissions to the repository.
Only the user who locked the file or directory can edit locked files.
But what if user who locked the file removed from the project?
Currently user who got removed from the project can't unlock file from file page https://gitlab.com/<owner>/<project>/-/blob/master/<file> and get an error message
But user who is removed from the project can still unlock files by going over project lock files ie https://gitlab.com/<owner>/<project>/path_locks
and unlock the file. We don't get any error.
Steps to reproduce
- Create a public test project and a file named
test_file - Invite a test user say
Vickywith developer permissions -
Vickylockedtest_file - As owner of the project, remove the
Vickyuser from the project - At this point
Vickycan't unlocked file because he is not the member of the project and if he try to remove it by going overtest_file, he'll get an error. -
Vickygo over projectpath_locksiehttps://gitlab.com/<owner>/<project>/path_locks - Remove the lock by selecting
Unlock
Here, the locked file has been removed by an unauthorized user
Impact
Unauthorized user is able to unlock the locked file of the project
What is the current bug behavior?
User who is removed from the project still able to unlock files. Even though this is not possible from going over file location but going over project path_locks, malicious user is able to unlock the file
What is the expected correct behavior?
User who locked file shouldn't be allowed to unlock files if he/she not anymore member of the project and has been removed by the admin
Output of checks
:This bug happens on GitLab.com
Impact
Unauthorized user is able to unlock the locked file of the project
Attachments
Warning: Attachments received through HackerOne, please exercise caution!