Projects can be transferred to groups where you have developer role only
HackerOne report #542685 by ashish_r_padelkar on 2019-04-19, assigned to estrike:
Summary
Hello,
Again, not sure if its documentation error or a security issue but though i should report it anyways.
The documentation here at https://docs.gitlab.com/ee/user/project/settings/#transferring-an-existing-project-into-another-namespace states
You can transfer an existing project into a group if:
1. you have at least Maintainer permissions to that group
2. you are an Owner of the project. The first case is NOT true because you can transfer the project into any group where you have Developer role too.
When you go to transfer project settings in any of your owner project at https://gitlab.com/<UserName>/<ProjectName>/edit , You will only see the groups that you either own or have maintainers permissions in a dropdown which is true as per documentation.
However, when you capture the request and change the new_namespace_id parameter ID in below request to a group where you have Developer role, it goes through and move the project into the group.
POST /<UserName>/<ProjectName>/transfer HTTP/1.1
Host: gitlab.com
Connection: close
Content-Length: 75
Accept: */*;q=0.5, text/javascript, application/javascript, application/ecmascript, application/x-ecmascript
Origin: https://gitlab.com
X-CSRF-Token: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: 1
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: 1
utf8=%E2%9C%93&_method=put&new_namespace_id=4962333&commit=Transfer+project This probably happens when you have a setting at target group level which allows Developers to create projects
The document was updated as a result of #446683 (closed).
Steps to reproduce
-
As a project owner, go to your settings at
https://gitlab.com/<UserName>/<ProjectName>/editwhere transfer projects is available. -
You will find list of groups that you own or have maintainer role in a dropdown. This works fine as per documentation.
-
Now select any group and click
Transfer Projectand at this point capture the request in burp suit.
The request looks like shown above.
-
You can see that there is a
new_namespace_idparameter in request. Change it to a Group ID where you have onlyDeveloperrole. and send the request. -
Projects will be transferred to the group where you have developer role which contradicts the documentation!
What is the current bug behavior?
Allows you to transfer the project to groups where you have developer role.
What is the expected correct behavior?
As per documentation and UI, Projects should be transferred to groups which you own or have Maintainer permissions!
Output of checks
This bug happens on GitLab.com and probably on omnibus installations too!
Regards,
Ashish
Impact
Allows you to transfer the projects to groups where you have developer permissions!
Attachments
Warning: Attachments received through HackerOne, please exercise caution!