Users can import members from projects that they are not a maintainer on through API
HackerOne report #1356100 by joaxcar
on 2021-10-01, assigned to GitLab Team:
Report
Summary
Security patch 14.3.1 fixed (link to patch notes and link to commit) an issue where a maintainer in one project could import members from another project while not being a maintainer in that target project. This is now enforced in the GitLab UI and any requests putting the target project as a project where the user is not maintainer will fail.
This check is not enforced if the same user uses the API endpoint /projects/:id/import_project_members/:project_id
documentation. As long as the user have maintainer access to the project with id :id
the users can import members from any target :project_id
as long as it is visible for the user. That is all public projects and any private project where the user have a role Guest
or higher.
Steps to reproduce
- Create a two users
user1
anduser2
- Log in as
user1
and create a public projectproject1
in the users namespaceuser1
- Make a note of the project ID, we call it
ID1
- Log in as
user2
and create a private projectproject2
- Make a note of the project ID, we call it
ID2
- Go to https://gitlab.com/-/profile/personal_access_tokens and create an access token for
user2
, lets call itTOKEN1
- Send this request in a terminal (replacing , and )
curl --request POST --header "PRIVATE-TOKEN: <TOKEN1>" "https://gitlab.com/api/v4/projects/<ID2>/import_project_members/<ID1>"
- Go to https://gitlab.com/user2/project2/-/project_members and verify that
user1
is imported from the public project whereuser2
is not a member
Impact
Importing members is supposed to be an action that is restricted to users who are maintainers on both target projects. The API allows users to bypass this restriction.
What is the current bug behavior?
The API endpoint does not validate the role of the requester as the UI does
What is the expected correct behavior?
The API should work as the functionality in the UI
Output of checks
This bug happens on GitLab.com
Impact
Importing members is supposed to be an action that is restricted to users who are maintainers on both target projects. The API allows users to bypass this restriction.
How To Reproduce
Please add reproducibility information to this section: