Non Member of Public Project Can Publish Drafted Reviews on Locked Merge Request

HackerOne report #706044 by rafiem on 2019-10-02, assigned to @cmaxim:

Hi Team,

I have found improper access control on comment changes in merge request section. In the change section of merge request, user can make review, add comment and reply to comment to spesific line of code that changed. In case of submitting a review, user firstly create a draft of review, and then can finish review and submit review or add comment now. In the issue i found, when non members of public project previously created a pending draft review in one of the merge request, user still able to publish and submit the drafted review even if the merge request is locked by the members of the project. This violate the rule of locked merge request, that only project members can comment on all part of the spesific merge request.

Proof of Concept

1.) User A have a public project , example : https://gitlab.com/bajigur/cuk1
2.) User B and then make a draft review on one of the merge request in https://gitlab.com/bajigur/cuk1
3.) User A then set the merge request that User B make a draft review to Locked
4.) User B still able to submit and publish the drafted review that he previously make, that allow User B to comment to part of merge request, which is forbidden when merge request is locked

<>PoC Video Attached
PoC.webm

Impact

Non members still able to comment to merge reqeuest through darft review in changes even if merge request is locked

Best Regards,
@rafiem

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• PoC.webm