Skip to content

Users can import members from projects that they are not a maintainer on through API

HackerOne report #1356100 by joaxcar on 2021-10-01, assigned to GitLab Team:

Report | How To Reproduce

Report

Summary

Security patch 14.3.1 fixed (link to patch notes and link to commit) an issue where a maintainer in one project could import members from another project while not being a maintainer in that target project. This is now enforced in the GitLab UI and any requests putting the target project as a project where the user is not maintainer will fail.

This check is not enforced if the same user uses the API endpoint /projects/:id/import_project_members/:project_id documentation. As long as the user have maintainer access to the project with id :id the users can import members from any target :project_id as long as it is visible for the user. That is all public projects and any private project where the user have a role Guest or higher.

Steps to reproduce
  1. Create a two users user1 and user2
  2. Log in as user1 and create a public project project1 in the users namespace user1
  3. Make a note of the project ID, we call it ID1
  4. Log in as user2 and create a private project project2
  5. Make a note of the project ID, we call it ID2
  6. Go to https://gitlab.com/-/profile/personal_access_tokens and create an access token for user2, lets call it TOKEN1
  7. Send this request in a terminal (replacing , and ) 
    curl --request POST --header "PRIVATE-TOKEN: <TOKEN1>" "https://gitlab.com/api/v4/projects/<ID2>/import_project_members/<ID1>"
  8. Go to https://gitlab.com/user2/project2/-/project_members and verify that user1 is imported from the public project where user2 is not a member
Impact

Importing members is supposed to be an action that is restricted to users who are maintainers on both target projects. The API allows users to bypass this restriction.

What is the current bug behavior?

The API endpoint does not validate the role of the requester as the UI does

What is the expected correct behavior?

The API should work as the functionality in the UI

Output of checks

This bug happens on GitLab.com

Impact

Importing members is supposed to be an action that is restricted to users who are maintainers on both target projects. The API allows users to bypass this restriction.

How To Reproduce

Please add reproducibility information to this section: