Group members with developer role can escalate their privilege to maintainer on projects that they import
HackerOne report #1256017 by justas_b
on 2021-07-09, assigned to @dcouture:
Report | Attachments | How To Reproduce
Report
NOTE! Thanks for submitting a report! Please replace all the (parenthesized) sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!
Summary
By modifying the access_level field in project_members.ndjson file, developers can import new projects where they have a maintainer role.
Steps to reproduce
(Step-by-step guide to reproduce the issue, including:)
- Create 2 accounts
- Create a group with account A
- Invite account B to the group as with a max role of developer
- With account B, export any project you own
- Modify the access_level field in project_members.ndjson file in that project. Change it to 40 (maintainer)
- Import that project to the group where you have only developer access
- You should have maintainer access in that imported project
One of the attack scenarios would be to import a project as a maintainer, add a deploy token or key and then demote yourself to a developer role or leave the project entirely. Combined with #686359, a user doesn't even have to be a member of that group to be able to download the project.
Examples
(If the bug is project related, please create an example project and export it using the project export feature)
(If you are using an older version of GitLab, this will also help determine whether the bug has been fixed in a more recent version)
(If the bug can be reproduced on GitLab.com without violating the Rules of Engagement
as outlined in the program policy, please provide the full path to the project.)
What is the current bug behavior?
Developers can have a maintainer role in the projects that they import.
What is the expected correct behavior?
Developers should have a max role of a developer in the projects that they import.
Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output,
logs, and code as it's very hard to read otherwise.)
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info
)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production
)
Impact
Developers can have a maintainer role in the projects that they import.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
- bandicam_2021-07-09_17-35-44-867.jpg
- bandicam_2021-07-09_17-35-11-737.jpg
- bandicam_2021-07-09_16-22-55-049.jpg
- bandicam_2021-07-09_17-35-32-850.jpg
How To Reproduce
Please add reproducibility information to this section: