Users with expired password can still access API and Git with token
HackerOne report #1285226 by joaxcar
on 2021-07-30, assigned to GitLab Team:
Report | Attachments | How To Reproduce
Report
Summary
Users with an "expired password" can still access the full API with tokens. This includes the REST API, GraphQL API and Git HTTP access. The same issue was mitigated in 13.12.2 as "Insufficient Expired Password Validation". That patch blocked users with expired passwords from accessing the REST API. My report 1192460 led to a patch 14.0.2 that also blocked access through GraphQL.
It seems that these patches caused some problem for users accessing GitLab instances using LDAP. And a merge request trying to address this problem got merged in one of the latests releases. Unfortenetly this new "fix for LDAP" also seems to have opened up access for regular user accounts with expired passwords again.
Images showing access through REST, GraphQL and Git with a account with expired password:
REDACTED
Steps to reproduce
(tested on 14.1.0 self-hosted)
- Create a user user01, and log in
- Create a new project at https://gitlab.domain.com/projects/new#blank_project make sure to put it as
private
. Take a note of the ID of the project - Go to https://gitlab.domain.com/-/profile/personal_access_tokens and create a personal access token
- Log in as an administrator
- Go to the admin page for editing the user https://gitlab.domain.com/admin/users/user01/edit and change the users password. This triggers
password expired at
to be set to the current time. Effectively putting the user01 in the state of "expired password"" - Trying to log in as user01 with old password will now fail, using the new password will trigger "enter a new password" page. Do not enter a new password here as this will put the user in a unexpired state again
REDACTED
- Now instead try to use the user01 token from step 2 in a REST request such as
curl --request GET \
--url https://gitlab.domain.com/api/v4/projects/:ID \
--header 'Authorization: Bearer <TOKEN>' \
This should show the private
project that should not be accessible.
Impact
A user that should not have access to the instance as the password has expired can still access the API and Git with tokens.
What is the current bug behavior?
Requests to the API and Git is not blocked for users with expired password
What is the expected correct behavior?
Requests to the API and Git by users with expired password should be blocked and presented with a message like 403 Forbidden - Your password expired. Please access GitLab from a web browser to update your password.
as before.
Impact
Users with expired passwords can still access the full API and Git using tokens
Attachments
REDACTED
How To Reproduce
Please add reproducibility information to this section: