Delete wrong branch bypassing user confirmation in protected branches leading to data loss.
HackerOne report #1223852 by friyin
on 2021-06-11, assigned to GitLab Team:
Report | Attachments | How To Reproduce
Report
Summary
Using web interface I discovered that you if you try to delete a branch with %2F
in its name you will really delete the another branch with the almost name but with /
instead of %2F
being able to bypass protected branch user confirmation modal dialog
Steps to reproduce
- Create a branch with a slash in its name, for example
test/feat1
- Protect the branch
test/feat1
- Create another branch with name
test%2Ffeat1
- Go to "Repository/branches" and try to delete
test%2Ffeat1
- You will notice that the branch it seems deleted
- Press F5 or refresh to see real branch list
What is the current bug behavior?
Delete a wrong branch, this can be a serious problem if the branch is protected because it is deleted without the special confirmation form.
What is the expected correct behavior?
Delete the correct branch you selected instead of another else.
Results of GitLab environment info
root@329409c303d3:/# gitlab-rake gitlab:env:info
System information
System:
Current User: git
Using RVM: no
Ruby Version: 2.7.2p137
Gem Version: 3.1.4
Bundler Version:2.1.4
Rake Version: 13.0.3
Redis Version: 6.0.12
Git Version: 2.31.1
Sidekiq Version:5.2.9
Go Version: unknown
GitLab information
Version: 13.12.3
Revision: 757327a59bc
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 12.6
URL: https://git.imaginadesarrollo.es
HTTP Clone URL: https://git.imaginadesarrollo.es/some-group/some-project.git
SSH Clone URL: ssh://git@git.imaginadesarrollo.es:2222/some-group/some-project.git
Using LDAP: yes
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 13.18.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Impact
- Be able to delete a protected branch without confirmation.
- Delete wrong branch possibly leading to loss of information.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: