Email generation for bots leads to the inability to create project/group access tokens

HackerOne report #1861701 by 0xn3va on 2023-02-03, assigned to @rshambhuni:

Report | Attachments | How To Reproduce

Report

Summary

Gitlab allows users to create access tokens for specific projects or groups (you can find more details at https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html and https://docs.gitlab.com/ee/user/group/settings/group_access_tokens.html). It is implemented via the creation of a bot user and a PAT token for them. Since Gitlab creates users, it assigns email addresses to them using the following scheme:

project{project_id}_bot@noreply.{Gitlab.config.gitlab.host}  
group{project_id}_bot@noreply.{Gitlab.config.gitlab.host}

If there is more than one project/group access token, it adds a number to the end project{project_id}_bot{number}[@]noreply.{Gitlab.config.gitlab.host}. However, it does not happen if the address is occupied by another user. In other words, if you link the address project{project_id}_bot@noreply.{Gitlab.config.gitlab.host} to your account (you do not need to confirm it) you will not be able to create any project access tokens due to the following error:

[REDACTED]

As a result, it is very easy to disable the ability to create access tokens for any project or group. Moreover, I didn't find any limits on the amount of linked emails, I was able to linked more than 100 emails to a single account.

Steps to reproduce

  1. Open gitlab.com and login

  2. Create a project or a group

  3. Find and keep project/group ID

  4. Go to User Settings > Emails

  5. Link the following email to your account (you do not need confirmation):

    for project:

    project{Project_ID}_bot@noreply.gitlab.com

    or for group:

    group{Group_ID}_bot@noreply.gitlab.com

  6. Go to the project/group

  7. Go to Settings > Access Tokens

  8. Try to create an access token; it will return an error

What is the current bug behavior?

Bots use predictable email addresses and do not change an email address if there is no access token for "previous" email address.

What is the expected correct behavior?

Bot emails have a random prefix/suffix, or bots iterate the address, whether there is "previous" access token or not.

Relevant logs and/or screenshots

PoC: [REDACTED]

Output of checks

This bug happens on GitLab.com

How To Reproduce

Please add reproducibility information to this section:

Edited by Rohit Shambhuni