Trial licenses can be used to create project access tokens on gitlab.com
HackerOne report #1325209 by ashish_r_padelkar
on 2021-08-31, assigned to @ankelly:
Report | Attachments | How To Reproduce
Report
Summary
Hello,
As per this document https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html
, project access tokens are available on gitlab.com but only for paid groups and not for trail licenses.
This issue also says the same https://gitlab.com/gitlab-org/gitlab/-/merge_requests/43190
We're now expanding the feature to paid accounts (to prevent abuse) in GitLab.com.
- which means not for trial licenses!
However, i found a way to create project access tokens using trial licenses too on gitlab.com!
Steps to reproduce
- Create 2 groups on gitlab.com . Example
Group1
&Group2
. - Create a project within
Group2
asProject1
- Now transfer the
Group2
withinGroup1
by going inGroup2
settings athttps://gitlab.com/groups/Group2/-/edit
-->Transfer group
. - Now that
Group2
and its projectProject1
are insideGroup1
, we can now apply trial license toGroup1
athttps://gitlab.com/groups/Group1/-/billings
. - Once you apply trial license to
Group1
, go toProject1
-->https://gitlab.com/Group1/Group2/Project1
and click on setting menu. You should seeAccess Tokens
in options!
What is the current bug behavior?
Trail license groups can be used to create project access tokens which are actually available for only paid users as of now on gitlab.com
What is the expected correct behavior?
Feature should be limited to only paid users on gitlab.com as of now!
Output of checks
This bug happens on GitLab.com
Regards,
Ashish
Impact
Trial License groups can create project access tokens which are supposed to be available only for paid users on gitlab.com.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: