Bypass branch restrictions with Asana integration
HackerOne report #1411216 by ooooooo_q
on 2021-11-28, assigned to @rshambhuni:
Report | Attachments | How To Reproduce
Report
Summary
If you integrate the project to asana with gitlab, can close the task on the asana side by commenting with a commit comment like fix #xxx
.(https://docs.gitlab.com/ee/user/project/integrations/asana.html)
The UI says that can limit the target branches in project Comma-separated list of branches to be automatically inspected. Leave blank to include all branches.
However, there is a problem in comparing branch names, so it is possible to operate from an unexpected branch.
Steps to reproduce
- Prepare Asana personal access token.(https://developers.asana.com/docs/personal-access-token)
- Integrate the project with Asana. (https://docs.gitlab.com/ee/user/project/integrations/asana.html)
- Limit the target branch to
main
.
- Create Asana Task (e.g.
https://app.asana.com/0/1201433658824421/1201434618560116
) - Create a
a
branch and writefix #xxx
in the commit message.(e.gfix #1201434618560116
) - You can confirm that the task is completed on the Asana side.
Impact
Can close Asana tasks from an unexpected branch of the user.
In particular, even if intend to use only protected branch that works with Asana, can operate it from the developer permission user.
(https://docs.gitlab.com/ee/user/project/protected_branches.html)
Examples
https://gitlab.com/bughunt_test_/asana_test
What is the current bug behavior?
https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/models/integrations/asana.rb#L64
def execute(data)
return unless supported_events.include?(data[:object_kind])
# check the branch restriction is poplulated and branch is not included
branch = Gitlab::Git.ref_name(data[:ref])
branch_restriction = restrict_to_branch.to_s
if branch_restriction.present? && branch_restriction.index(branch).nil?
return
end
user = data[:user_name]
project_name = project.full_name
data[:commits].each do |commit|
push_msg = s_("AsanaService|%{user} pushed to branch %{branch} of %{project_name} ( %{commit_url} ):") % { user: user, branch: branch, project_name: project_name, commit_url: commit[:url] }
check_commit(commit[:message], push_msg)
end
end
branch_restriction.index(branch).nil?
is a comparison between strings, not a Comma-separated list of branches.
❯ irb
irb(main):001:0> "main,develop".index("main")
=> 0
irb(main):002:0> "main,develop".index("a")
=> 1
irb(main):003:0> "main,develop".index("b")
=> nil
What is the expected correct behavior?
Comma-separated list of branches limit the branches that can be operate.
Output of checks
This bug happens on GitLab.com
Impact
Can close Asana tasks from an unexpected branch of the user.
In particular, even if intend to use only protected branch that works with Asana, can operate it from the developer permission user.
(https://docs.gitlab.com/ee/user/project/protected_branches.html)
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: