Import project from Github matching branch protection rules with unverified email allowing developer to impersonate and bypass protected branch rules
⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.
HackerOne report #1874671 by vaib25vicky
on 2023-02-15, assigned to @cmaxim:
Report | Attachments | How To Reproduce
Report
Summary
When we import Github project into Gitlab then branch protection rules of github are also imported.
They are defined as described in the documentation.(https://docs.gitlab.com/ee/user/project/import/github.html#branch-protection-rules-and-project-settings)
One of the rule is
"Require a pull request before merging - Allow specified actors to bypass required pull requests"
This rule in Gitlab adds users in the Allowed to push list of branch protection settings
It is done by mapping Github user email address to the Gitlab user email address.
The bug here is that Gitlab user unverified email address gets mapped to the Github user. This allows a malicious developer of the project to gain write access(allowed to push) to the protected branch.
This bug allows a malicious developer to add himself toAllowed to push list of branch protection settings by impersonating a legitimate Github user using unverified email address.
The attack scenario is like:
- Github repository has a branch protection rule "Require a pull request before merging - Allow specified actors to bypass required pull requests"
- Github user FOO is allowed to bypass required pull requests
- Gitlab user BAR adds FOO Github user email address to his Gitlab account.
This is an unverified email address. - Gitlab owner imports Github repository, branch protection rule also gets imported.
- Gitlab user BAR gets mapped to the Github user FOO using unverified email address.
- Gitlab user BAR gains push access to the protected branch
PoC
Gives me your Github username, I will add you to my test organization so that you can import my test repository https://github.com/the-umm/supreme-bassoon
My test repository has following branch protection rule in placed
wohoox77
user has verified email address wohoox77@wearehackerone.com
in Github.
You need to do below steps in Gitlab.com
-
FOO
is an owner and creates a new Gitlab group and opt for Ultimate trial from billing page - Lets say you have another developer role user
BAR
in your Group members -
BAR
adds email addresswohoox77@wearehackerone.com
. This is a secondary and unverified email address in the account. -
FOO
imports Github repository the-umm/supreme-bassoon and after repository is imported -
BAR
user gains Allowed to push access to the protected branch. You can check it by going over gitlab protected branch page https://gitlab.com///-/settings/repository
This shows that Gitlab mapped the unverified email address of the BAR
user to the Github user wohoox77
and gives BAR
access to the protected branch.
Video
Impact
This bug allows a malicious developer to add himself toAllowed to push list of branch protection settings by impersonating a legitimate Github user using unverified email address.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: