Unauthorized User Can Promote Project Label to Group Label via API

HackerOne report #695003 by rafiem on 2019-09-14, assigned to @jritchey:

Hi Team,

I notice that now i am using GitLab Edition 12.3.0-pre, then in the api documentation, i notice that a new endpoint is introduced in GitLab 12.3 : Promote a project label to a group label. Then i found a improper access control that allows any users that invited as "Reporter" level or higher to any of projects in group can promote a projects label to group labels. When a user is invited just for spesific project of group, the user is granted "Guest"-like access to the group. And this level should just have privelege of "Guest" user. In the permission documentation, it states that "Manage group labels" at least have privelege level as "Reporter". This issue is valid in both public and private groups. In the PoC, i will demonstrate just for private group.

Proof of Concept

1.) Let's say user A have a private group. In this case, i am using this group : https://gitlab.com/sukijan
2.) User A then invite User B as "Reporter" to the one of private group's project. In this case : https://gitlab.com/sukijan/yyyy
3.) User B then can view a list of labels in the projects label section
4.) Notice that there is no option to promote a label to the group labels. The option is just to make a new label, prioritize, edit, delete and subscribe/unsubscribe label.
5.) Using access token of User B, in API endpoint : https://gitlab.com/api/v4/projects/14306800/labels/promote, User B can make a PUT request by specifying the label name in the Body data to promote a project label to group label
6.) Promote access action success

<>PoC Video Attached PoC.webm

Impact

User that only have access to spesific project in group is able to promote projects label to the group even if the user dont have access in the group (just "guest"-like access).

Best Regards,
@rafiem

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• PoC.webm