Revoked User can approve a Merge Request created by him via approve/unapprove API which leads to Merge request info leak
HackerOne report #1198317 by muthu_prakash
on 2021-05-15, assigned to GitLab Team:
Report
Summary
In Gitlab when a user is demoted to Guest role, the Guest user will not be able to view and edit the Merge requests in a project even if the merge request is created by him. But the Guest user can use the Approvals API to approve/unapprove the merge request even after the User is demoted to Guest. This API also leaks the Merge request details which the guest user is not supposed to view.
Steps to reproduce
- Created a new Project with private access
- Created a new file in master branch (Made some changes )
- Invited a user with a maintainer role.
- From the maintainer role account created a new branch named test, made some changes.
- After that from project admin account I created a Merge request with source branch as test and target branch as master.
- Assigned that merge request to the maintainer role access user.
- After creating the merge request, from project admin account demoted the maintainer role user to Guest role
- From demoted user account I created a personal access token with all the available scopes selected
- Using API client sent a POST request to the approvals endpoint
Sample endpoint: - This API endpoint will respond with 201 status with the merge request details which the Guest user is not supposed to approve and view.
Impact
Demoted users can approve the merge requests created by them and can view the confidential data of those merge requests once their role revoked. This leads to sensitive info disclosure to unauthorised users
What is the current bug behavior?
Demoted users can approve the merge requests created by them and can view the confidential data of those merge requests once their role is revoked
What is the expected correct behavior?
Demoted users should be blocked from approving the merge requests created by them and viewing the confidential data of those merge requests once their role is revoked
Output of checks
This bug happens on GitLab.com
Impact
Demoted users can approve the merge requests created by them and can view the confidential data of those merge requests once their role revoked. This leads to sensitive info disclosure to unauthorised users
How To Reproduce
Please add reproducibility information to this section: