Bypassing tags protection in GitLab

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1908423 by inspector-ambitious on 2023-03-15, assigned to @ottilia_westerlund:

Report | Attachments | How To Reproduce

Report

Summary

I believe I discovered a bug that allows an attacker to spoof protected tags, that could potentially lead a victim to download malicious code.

Steps to reproduce

We will distinguish 2 users to reproduce this vulnerability:

victim01 the victim
inspector-ambitious the attacker

In victim context (`root`): The initial setup

Create a new private repository called tag-protection-bypass

Invite inspector-ambitious as a member of the project in Project Information > Members

Go to Settings > Repository, expand the Protected tags and create a new rule
Tag: v*
Allowed to create: Maintainers

So at this stage inspector-ambitious should not be able to create tags since they are protected.

In attacker context (`inspector-ambitious`): The attack

Create a branch called v1 containing an empty malicious file (for demonstration)

Click repository Tags links

(there is no tags created yet)

Click on New Tag
Set the tag name to refs/tags/v1 and the Create from to v1, create the tag

a 404 appears but the tag is created

Go back to the repo tags list, the tag now appears as protected !

Please note that clicking the tag does not work because a 404 is thrown, but the download
Source code feature will still work.

What I believe is happening in the background is that since the tag v1 reference cannot be resolved the download of the source code fallback to the content of the branch v1.

Impact

A victim can end up downloading malicious source code.

Output of checks

This bug happens on GitLab.com

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: