Skip to content

Subgroup Member With Reporter Role Can Edit Group Labels

HackerOne report #1818425 by drjgouveia on 2022-12-29, assigned to Ottilia Westerlund:

Report | Attachments | How To Reproduce

Report

Summary

When a user belongs to a subgroup and that subgroup has a project, the user is able to change details of a label (not able to delete it).

Steps to reproduce
  1. On a GitLab instance create a group.
  2. Create a label on the group.
  3. Now create a subgroup on that group.
  4. Create a label on the subgroup.
  5. Create a new user and add it to the subgroup with the "Reporter" role.
  6. Login now as the new user and proceed to go to the project page. Here you'll click on the breadcrumb that is after the group name, which should be the second one (the one in red: image.png).
  7. Now "Subgroup information" -> "Labels". You should find a page similar to this one:

image.png
8. As you can see, the label belonging to the group should not give me access to edit it. But, if I get the ID by inspecting the element and getting the data-id parameter value:
image.png
9. Now we just have to add the /[data-id value]/edit to the URL, which will look something like this: .../groups/bb/inside/-/labels/142/edit. Now you're able to edit everything except deleting.

Impact

This has a big impact on the integrity fo the data, mainly when tickets are related to the labels and those do not correspond or have the original meaning.

What is the current bug behavior?

This is the before using this vulnerability:
image.png
image.png

This is the after:
image.png
image.png

What is the expected correct behavior?

To show a 404 error page.

Impact

The impact of this is more of the integrity of the information provided by the labels, to not only this project/subgroup, but all the projects/subgroups that use this label on this group.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: