Import pending members from public projects or private projects (if you have guest role)
HackerOne report #542539 by
ashish_r_padelkar on 2019-04-19, assigned to
As per documentation here
In the dropdown menu, you can see only the projects you are Maintainer on.
This is NOT true. You can also see the projects where you have just
Guest access to.
The problem with this is, once you import members from such projects, a guest can see all pending members who are invited using emails but havent joined the project yet! i.e guests will be able to see all the email ids of the members who are invited using email by Admins but not yet joined gitlab.
If they just visit the url directly in UI, they dont see these members who have not joined gitlab yet!
Steps to reproduce
As a Owner in your project, navigate to
When you click on the dropdown, you will not only see the projects where you are maintainer on, but you will see all the projects where you just have
Select the project where you have
Guestrole and click on
Import Project Members.
The Request responsible for this is
POST /<YourUserName>/<YourProject>/project_members/apply_import HTTP/1.1 Host: gitlab.com Connection: close Content-Length: 157 Cache-Control: max-age=0 Origin: https://gitlab.com Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Referer: 1 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: 1 utf8=%E2%9C%93&authenticity_token=1&source_project_id=10776018
You can also replace the
source_project_idparameter in above request with public projects too, and it will import from public projects too!
This will import the email ids of member who have not joined the selected project which you dont see when you navigate to member url from UI!
Navigate to my public project here
You will just see one member there.
Now follow the above reproduction steps, and replace the
source_project_id parameter in above request to
10776018 and send the request
Now check the member list. You will see an email there . This is an invited email which guest users cant see normally as the invited member has not yet joined the gitlab/project!
What is the current bug behavior?
Allows you to import pending members from public projects as well as private projects where you just have guest role
What is the expected correct behavior?
Only members from project which you have maintainers role should be allowed to import
Output of checks
This bug happens on GitLab.com and might be on omnibus installations too
Allows you to import pending members from public projects as well as private projects where you just have guest role.
Import feature should only allow users to import members from projects where the user has a
Maintainer role. This should address issues called out under steps 2 and 4 under Steps to Reproduce section.