Skip to content
GitLab
Next
Closed
Issue created by GitLab SecurityBot@gitlab-securitybotReporter

Group members with developer role can escalate their privilege to maintainer on projects that they import

HackerOne report #1256017 by justas_b on 2021-07-09, assigned to @dcouture:

Report | Attachments | How To Reproduce

Report

NOTE! Thanks for submitting a report! Please replace all the (parenthesized) sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!

Summary

By modifying the access_level field in project_members.ndjson file, developers can import new projects where they have a maintainer role.

Steps to reproduce

(Step-by-step guide to reproduce the issue, including:)

  1. Create 2 accounts
  2. Create a group with account A
  3. Invite account B to the group as with a max role of developer

bandicam_2021-07-09_17-35-44-867.jpg

  1. With account B, export any project you own
  2. Modify the access_level field in project_members.ndjson file in that project. Change it to 40 (maintainer)

bandicam_2021-07-09_16-22-55-049.jpg

  1. Import that project to the group where you have only developer access
  2. You should have maintainer access in that imported project

bandicam_2021-07-09_17-35-11-737.jpg

bandicam_2021-07-09_17-35-32-850.jpg

One of the attack scenarios would be to import a project as a maintainer, add a deploy token or key and then demote yourself to a developer role or leave the project entirely. Combined with #686359, a user doesn't even have to be a member of that group to be able to download the project.

Examples

(If the bug is project related, please create an example project and export it using the project export feature)

(If you are using an older version of GitLab, this will also help determine whether the bug has been fixed in a more recent version)

(If the bug can be reproduced on GitLab.com without violating the Rules of Engagement as outlined in the program policy, please provide the full path to the project.)

What is the current bug behavior?

Developers can have a maintainer role in the projects that they import.

What is the expected correct behavior?

Developers should have a max role of a developer in the projects that they import.

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output,
logs, and code as it's very hard to read otherwise.)

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info)

(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production)

Impact

Developers can have a maintainer role in the projects that they import.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section:

Edited by Dominic Couture