Malicious user can block gitlab.com users by exploiting 2FA inheritance logic
HackerOne report #637675 by marshall0705
on 2019-07-08, assigned to estrike
:
Summary
2FA inheritance can be manipulated to indefinitely block users' access to gitlab.com
Steps to reproduce
- Top level group [A] has 2FA enforced
- Child subgroup [B] also has 2FA enforced (should be irrelevant however, due to inheritance)
- Child subgroup [C] (should be irrelevant, was just used to contain tests, no explicit 2FA requirement)
- Project [D] in subgroup (inherited 2FA from [A] and [B])
- UserX added to [D] only, never added to groups
Structure:A / B / C / D
Theoretically the following structure should also exhibit the same behaviour: A / D
- Log in with UserX, which is then redirected to 2FA page (warning message attached)
- UserX attempts to remove self from groups, but cannot because they are not a member of the group
Impact
Users without 2FA can be denied access to gitlab by a malicious user adding them to a project that has inherited 2FA requirements. Users cannot remove themselves from the project as there is no option to do so, and cannot remove themselves from the parent group as they are not a member.
Examples
Experienced with personal account marshall0705
against project Holland And Barrett International / Platform as a Service / dan-test / dan-test
. Admin account danmarshallhollbarr
used to configure project/groups/members.
What is the current bug behavior?
User is not able to remove themselves from a project that is enforcing 2FA, therefore unable to navigate to other projects/groups.
Furthermore, removing the user from project does not lift the requirement.
What is the expected correct behavior?
Users should be able to leave projects that are enforcing 2FA.
Removing the user from the project should lift the 2FA requirement.
Relevant logs and/or screenshots
Please see attached screenshot for warning message, which does not include the option to remove self from the project. This is also shown after the user has been removed from the project by the owner.
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
N/A
Impact
An attacker can block users from accessing all gitlab.com groups/projects by adding a user to an arbitrary project that has inherited 2FA authentication. The user cannot remove themselves from the project, thus cannot navigate to any other resources.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!