Skip to content

User with expired password can still access sensitive info

HackerOne report #1348738 by joaxcar on 2021-09-22, assigned to @vdesousa:

Report | Attachments | How To Reproduce

Report

Summary

When a users password expired the user can not access the GitLab instance before providing a new one. The user will not be able to view projects or groups, and not the merge request list in these projects where the user previously had access.

The latest patch to GitLab introduces a RSS feed for tracking updates to a projects merge requests. This feed is available to the user even after the rest of Gitlab is blocked due to password expiration.

This could be related to my previous report where a user with expired password could access the API, but I have not been able to confirm that.

(This also affect users who have retrieved a RSS feed prior to a "terms of service" is put in place by an admin. The user will be prompted with "accept or log out", if the user click deny and log out the user will not be able to access internal or private projects anymore. But can still access the RSS feeds!)

Steps to reproduce
  1. Create two users, one admin admin1 and one user user1
  2. Log in as admin1 and create a private project project1 on https://gitlab.domain.com/projects/new#blank_project
  3. Create a branch on https://gitlab.joaxcar.com/admin1/project1/-/branches/new and and click "create merge request" when the branch is created
  4. Create a merge request to main
  5. Go to https://gitlab.domain.com/admin1/project1/-/project_members and invite user1 as a Developer to the project
  6. Log out and log in as user1
  7. Go to https://gitlab.domain.com/admin1/project1/-/merge_requests
  8. Click the RSS icon

rss.png

  1. Save the path to the RSS feed in a separate tab
  2. Log out and log in as admin1
  3. Go to the admin page for editing user1 https://gitlab.domain.com/admin/users/user1/edit and change the users password. This triggers "password expired at" to be set to the current time. Effectively putting the user1 in the state of "expired password"
  4. Log out
  5. Refresh the tab with the RSS feed and confirm that it still can access the feed.(This is done as user1)
Impact

A user with expired password can still access information about merge requests in internal and private projects

What is the current bug behaviour?

RSS feeds are accessible by users that have expired password

What is the expected correct behaviour?

RSS feeds should be blocked for users with expired password as the rest of GitLab

Output of checks

This bug happens on GitLab.com

Impact

A user with expired password can access a stream of information from internal and private projects which should be out of reach.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section:

@bdenkovych update

While reading the codebase I noticed that there are lots of endpoints that authenticate users with an expired passwords. Here is the list:

You can reproduce this issue for all those endpoints by following similar steps described for /*namespace_id/:project_id/-/merge_requests.atom.

As mentioned in #343247 (comment 713877122), users like LDAP and OmniAuth users should retain access even with an expired password.

In https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/2042 I added test cases to cover all these endpoints.

Edited by Bogdan Denkovych