Skip to content
GitLab
Next

"Require Code Owner approval" bypass using unverified email addresses

HackerOne report #1237750 by vaib25vicky on 2021-06-18, assigned to H1 Triage:

Report | Attachments | How To Reproduce

Report

Summary:

CODEOWNERS files allows unverified email addresses when mapping addresses to Gitlab usernames.
If a CODEOWNERS file contains email addresses that do not have an associated Gitlab account then
an attacker can add that email address to their account and become a codeowner.
This allows malicious members to bypass the “Require Code Owner approval” check on protected branches.

Details:

Protected branch rules allow owner of the project to restrict who can push and merge to the branch
One of that rule is "Require Code Owner approval"

Code Owner file is a file which tells who can approve the merge request and
after approval the code can be push to the protected branches
This approval applies to everyone including maintainers of the project

Code owner file syntax allows defining members with usernames and emails
(https://docs.gitlab.com/ee/user/project/code_owners.html#the-syntax-of-code-owners-files)

* [@]default-codeowner

###  We can also specify "multiple tab or space" separated codeowners:  
* [@]multiple [@]code [@]owners  email_address@owners

###  Rules defined later in the file take precedence over the rules  
*.rb [@]ruby-owner

After creating code owner file, Gitlab will map the username and email addresses
to Gitlab account. However, email verification is not checked which allows a malicious
user to impersonate as a valid different code owner user and bypass code owner rule

Steps to reproduce:

Code owner is premium feature so you probably have to opt for free trial
Go to your Group > Settings > Billing and start your free trial

Project

  • lets say project named is h1-project
  • Add 3 members - A-main(Maintainer), B-dev, C-dev (developers)
  • Add a readme file README.md

Codeowners approval rule on protected branch

  • Add a CODEOWNERS file named CODEOWNERS 
*.md [@]A-main  h1-test@dontexist127.com
  • Go to project settings https://gitlab.com/<namespace>/<h1-project>/-/settings/repository
    and edit your main protected branch setting like shown in image

yo_gitlab.png

Bypass Require Code Owner approval

Codeowner file clearly state that any changes to *.md file require approval from
[@]A-main and h1-test@dontexist127.com before merge and push

  • C-dev add the email h1-test@dontexist127.com to his account which is an unverified email
  • B-dev edit the file README.md and created a new merge request
  • C-dev goes to the merge request page, and he can now easily approve and merge
    the code to the protected branch as C-dev who is NOT a codeowner of the file

Impact

"Require Code Owner approval" bypass using unverified email addresses on protected branches which allow malicious user to merge and push code to the protected branches where he was restricted

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: