Free users can restore deleted project
This was originally reported by @salh4ckr on HackerOne but I'm opening this public issue here given the absence of security impact.
Report | Attachments | How To Reproduce
Report
Summary
Hi,
When project has project deletion delay enabled a project can be restored after deletion but this is only available for Premium subscription.
https://docs.gitlab.com/ee/user/project/settings/#restore-a-project. if group isn't premium subscribed a project can't be restored.
i found that restore endpoint is missing authorization checks for free plan users so they can restore pending deletion project
Steps to reproduce
1.Create group
2.Create Project in group
3.Go to Project settings
4.expand Advance and go to delete this project
5.before deleting project you see the message that there is no going back if you delete it, click delete.
6.to restore send this request like this:
POST /group_name/project_name-deleted-project_id/restore HTTP/2
Host: gitlab.com
Cookie: redacted
Accept-Encoding: gzip, deflate
Referer: https://gitlab.com/dashboard/projects/removed
Content-Type: application/x-www-form-urlencoded
Content-Length: 126
Origin: https://gitlab.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
_method=post&authenticity_token=redacted video poc
Poc.webm
Impact
Users who is using free plan can restore deleted project even if it is expected that premium users can do it
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
Implementation guide
The Projects::RestoreService does not have checks in place to prevent restoration in case of free_project AND executor_is_not_admin, and we should be adding it.