Groups can be transferred to groups where you have only maintainer permissions
HackerOne report #1590707 by theluci
on 2022-06-03, assigned to @dcouture:
Report
Summary
The documentation at https://docs.gitlab.com/ee/user/group/#transfer-a-group states that
You can only transfer groups to groups you manage
By manage, documentation means that you are an owner.
When you go to transfer group settings for a group you own by going to settings>general>advanced>transfer group you will see the groups for whom you are an owner which is true as per documentation.
However, when you capture the request and change the the new_parent_group_id
parameter to the id of a group in which you are a maintainer, it goes through and transfers the group.
POST /groups/test11330/-/transfer HTTP/2
Host: gitlab.com
Cookie: <COOKIE>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Referer: https://gitlab.com/groups/test11330/-/edit
Content-Type: application/x-www-form-urlencoded
Content-Length: 154
Origin: https://gitlab.com
_method=put&authenticity_token=<AUTHENTICITY TOKEN>&new_parent_group_id=<ID>
Steps to reproduce
Setup
Attacker have owner permission in group-o
and maintainer permission in group-m
.
- In
group-o
go to settings>general>advanced>transfer group - choose any group and confirm but intercept the request using burp suite
- change
new_parent_group_id
to the id ofgroup-m
-
group-o
will be transferred ingroup-m
What is the current bug behavior?
The owner of a group can transfer his group to any group for which he has maintainer permissions.
What is the expected correct behavior?
The owner should only be able to transfer his group to other groups in which he is the owner.
Output of checks
This bug happens on GitLab.com
Note:-
The documentation at https://docs.gitlab.com/ee/user/group/#transfer-a-group states that
You can only transfer groups to groups you manage
I'm pretty sure by manage documentation mean groups in which you are an owner because
- Only an owner can access settings of a group and perform required functions thus managing the group
- In transfer group functionality, through the UI you only see those groups in which you are an owner i.e., those that you are managing
Impact
Allows you to transfer group to another group where you have only maintainer permissions.
How To Reproduce
Please add reproducibility information to this section: