Ability to delete a protected branch from command line

HackerOne report #1461115 by s0l0sec on 2022-01-26, assigned to @cmaxim:

Report | Attachments | How To Reproduce

Report

Summary

Hi,

According to https://docs.gitlab.com/ee/user/project/protected_branches.html#delete-a-protected-branch

protected branch can be deleted from UI only, this prevents from accidentally deleting a branch from the command line or from a Git client application. but it is possible to delete protected branch from command line.

Steps to reproduce

1.create user-A

2.create a project-A

3.in project A repository create branch-A

4.go to settings>repository and go to protected branches and make branch-A protected

5.send this request from your command line:

curl -X DELETE --header "PRIVATE-TOKEN: <TOKEN> "https://gitlab.com/api/v4/projects/projec-A_id/repository/branches/branch-A"   

Impact

This can result in accidentally deleting a branch from the command line

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Poc.mp4
• Screenshot_2022-01-26_15_52_01.png

How To Reproduce

Please add reproducibility information to this section: