Able to use paid features for free such as Pipeline subscription, Pipeline test cases, Project Access Tokens
HackerOne report #1034957 by vaib25vicky
on 2020-11-15, assigned to @dcouture:
Report | Attachments | How To Reproduce
Report
Summary
Project transfer from group having gold plan to free plan than paid features such as Pipeline subscription, Pipeline test cases and Project Access Tokens are still working in the new group having free plan
Usually all other paid features of the project get revoked when project is transfer from group having higher plan to free plan. But some features still are not revoked
Steps to reproduce
- Create a group and opt for gold plan/trial-version
- Create a subgroup since project access token are only available to projects inside subgroup
- Create a project inside the subgroup
- Now, we'll use & setup paid features in the project
- For creating project access token. Go over project
settings>access_token
- For pipeline subscription. Go over project
settings>ci_cd
- For pipeline test cases feature, create a
test
case by going over project/-/quality/test_cases
- Now, we'll transfer the project from gold group plan to the free group plan
- Project now is the part of the free group plan and you will be able to use all the above paid features here too. Although they are not visible but still working.
For testing pipeline subscription, creates a new tag in the project that you've configured previously.
For testing project access token, use the token that you've created previously. It is still working.
For testing pipeline test cases, you wont be able to view them but go directly to the endpoint https://gitlab.com/<owner>/<project>/-/issues/<test_case_id>
to view test case.
Let me know if you need more info.
Impact
-
Able to use paid features for free such as Pipeline subscription, Pipeline test cases, Project Access Tokens.
-
Since the new owner can't revoked project access token and Gitlab didn't revoked the token when project moved from gold plan to free plan.
So anyone with access to previously created project access tokens can access the private information such as project api, repository files etc. in the new private group
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: