Skip to content

Bypass branch restrictions with Asana integration

HackerOne report #1411216 by ooooooo_q on 2021-11-28, assigned to @rshambhuni:

Report | Attachments | How To Reproduce

Report

Summary

If you integrate the project to asana with gitlab, can close the task on the asana side by commenting with a commit comment like fix #xxx.(https://docs.gitlab.com/ee/user/project/integrations/asana.html)

The UI says that can limit the target branches in project Comma-separated list of branches to be automatically inspected. Leave blank to include all branches.

integrate_3.png

However, there is a problem in comparing branch names, so it is possible to operate from an unexpected branch.

Steps to reproduce
  1. Prepare Asana personal access token.(https://developers.asana.com/docs/personal-access-token)
  2. Integrate the project with Asana. (https://docs.gitlab.com/ee/user/project/integrations/asana.html)
  3. Limit the target branch to main.
    restrict_to_main.png
  4. Create Asana Task (e.g. https://app.asana.com/0/1201433658824421/1201434618560116)
  5. Create a a branch and write fix #xxx in the commit message.(e.g fix #1201434618560116)
  6. You can confirm that the task is completed on the Asana side.
    asana_2.png
Impact

Can close Asana tasks from an unexpected branch of the user.
In particular, even if intend to use only protected branch that works with Asana, can operate it from the developer permission user.
(https://docs.gitlab.com/ee/user/project/protected_branches.html)

Examples

https://gitlab.com/bughunt_test_/asana_test

What is the current bug behavior?

https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/models/integrations/asana.rb#L64

    def execute(data)  
      return unless supported_events.include?(data[:object_kind])

      # check the branch restriction is poplulated and branch is not included  
      branch = Gitlab::Git.ref_name(data[:ref])  
      branch_restriction = restrict_to_branch.to_s  
      if branch_restriction.present? && branch_restriction.index(branch).nil?  
        return  
      end

      user = data[:user_name]  
      project_name = project.full_name

      data[:commits].each do |commit|  
        push_msg = s_("AsanaService|%{user} pushed to branch %{branch} of %{project_name} ( %{commit_url} ):") % { user: user, branch: branch, project_name: project_name, commit_url: commit[:url] }  
        check_commit(commit[:message], push_msg)  
      end  
    end

branch_restriction.index(branch).nil? is a comparison between strings, not a Comma-separated list of branches.

 irb  
irb(main):001:0> "main,develop".index("main")  
=> 0  
irb(main):002:0> "main,develop".index("a")  
=> 1  
irb(main):003:0> "main,develop".index("b")  
=> nil
What is the expected correct behavior?

Comma-separated list of branches limit the branches that can be operate.

Output of checks

This bug happens on GitLab.com

Impact

Can close Asana tasks from an unexpected branch of the user.
In particular, even if intend to use only protected branch that works with Asana, can operate it from the developer permission user.
(https://docs.gitlab.com/ee/user/project/protected_branches.html)

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: