push rule bypass using projectSyncFork graphQl api

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1890962 by vaib25vicky on 2023-03-03, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

projectSyncFork graphQL api don't check push rules and thus allows bypassing them.
`

Steps to reproduce on Gitlab.com

As owner of the group your-grp

1. Creates a group with Ultimate trial
2. Creates a public project lets say your-grp/foo-parent
3. Creates fork of this project, either in the same group or different group (make sure other group also has Ultimate trial). Lets say your-grp/foo-fork
4. Define push rules in your-grp/foo-fork for example

It means that commit user must end with email @[@]sub.company.com and file ending with jar or exe are prohibited.
5. As owner edit protected branch rule Allowed to push and merge with value Developer & Maintainer in your-grp/foo-fork

6. As owner creates a new file named test.exe in your-grp/foo-parent
7. As owner invites another user with developer role to the fork project your-grp/foo-fork

As developer of the project your-grp/foo-fork

8. As developer role user use the projectSyncFork graphQL api
   in the project your-grp/foo-fork

mutation m{  
	projectSyncFork(input:{clientMutationId:"111",projectPath:"your-grp/foo-fork",targetBranch:"main"}){  
		clientMutationId  
		errors  
		  
	}  
}

9. After success, a new filed named test.exe is created in your-grp/foo-fork by developer user. This bypass the push rules of Prohibited file names:(jar|exe)$

Impact

projectSyncFork graphQL api don't check push rules and thus allows bypassing them. By using this bug all push rules can be bypass by the attacker

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• a1.png
• f3.png

How To Reproduce

Please add reproducibility information to this section: