ESCALATED: Project | Invite member | Access expiration date - can set expiration for past dates
HackerOne report #694932 by henonoah
on 2019-09-14, assigned to @jbroullon:
Summary
I encounter the issue while adding members to my project. I am able to intercept & overwrite post values, especially for "expires_at" attribute. I didn't saw any validation message instead data got saved.
Steps to reproduce
I am using the burp suite tool to intercept all requests.
- Invite member for the project
- Intercept post request (https://gitlab.com/navaraj99/sep15/-/project_members)
- Now update the "expires_at" attribute to any past date
- Submit the request
I have also attached some snaps from Gitlab & Burp. Please have a look onto that.
What is the expected correct behavior?
Every post data should be validated properly and it could be great if the proper or relevant error message is shown instead of getting submitted successfully.
Impact
A team member can read or write a project without the effect of expiration date even though his/her access is expired he/she can have access over the project. As stated by OWASP attacker can perform broken access control vulnerability and also, let him a clue to attempt access violation over the entire application.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!