"Require Code Owner approval" bypass using unverified email addresses
HackerOne report #1237750 by vaib25vicky
on 2021-06-18, assigned to H1 Triage:
Report | Attachments | How To Reproduce
Report
Summary:
CODEOWNERS files allows unverified email addresses when mapping addresses to Gitlab usernames.
If a CODEOWNERS file contains email addresses that do not have an associated Gitlab account then
an attacker can add that email address to their account and become a codeowner.
This allows malicious members to bypass the “Require Code Owner approval” check on protected branches.
Details:
Protected branch rules allow owner of the project to restrict who can push and merge to the branch
One of that rule is "Require Code Owner approval"
Code Owner file is a file which tells who can approve the merge request and
after approval the code can be push to the protected branches
This approval applies to everyone including maintainers of the project
Code owner file syntax allows defining members with usernames and emails
(https://docs.gitlab.com/ee/user/project/code_owners.html#the-syntax-of-code-owners-files)
* [@]default-codeowner
### We can also specify "multiple tab or space" separated codeowners:
* [@]multiple [@]code [@]owners email_address@owners
### Rules defined later in the file take precedence over the rules
*.rb [@]ruby-owner
After creating code owner file, Gitlab will map the username and email addresses
to Gitlab account. However, email verification is not checked which allows a malicious
user to impersonate as a valid different code owner user and bypass code owner rule
Steps to reproduce:
Code owner is premium feature so you probably have to opt for free trial
Go to your Group > Settings > Billing and start your free trial
Project
- lets say project named is
h1-project
- Add 3 members - A-main(Maintainer), B-dev, C-dev (developers)
- Add a readme file
README.md
Codeowners approval rule on protected branch
- Add a CODEOWNERS file named
CODEOWNERS
*.md [@]A-main h1-test@dontexist127.com
- Go to project settings
https://gitlab.com/<namespace>/<h1-project>/-/settings/repository
and edit your main protected branch setting like shown in image
Bypass Require Code Owner approval
Codeowner file clearly state that any changes to *.md
file require approval from
[@]A-main
and h1-test@dontexist127.com
before merge and push
-
C-dev
add the emailh1-test@dontexist127.com
to his account which is an unverified email -
B-dev
edit the fileREADME.md
and created a new merge request -
C-dev
goes to the merge request page, and he can now easily approve and merge
the code to the protected branch asC-dev
who is NOT a codeowner of the file
Impact
"Require Code Owner approval" bypass using unverified email addresses on protected branches which allow malicious user to merge and push code to the protected branches where he was restricted
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: