Bypassing tags protection in GitLab
HackerOne report #1908423 by inspector-ambitious
on 2023-03-15, assigned to @ottilia_westerlund:
Report | Attachments | How To Reproduce
Report
Summary
I believe I discovered a bug that allows an attacker to spoof protected tags, that could potentially lead a victim to download malicious code.
Steps to reproduce
We will distinguish 2 users to reproduce this vulnerability:
-
victim01
the victim -
inspector-ambitious
the attacker
root
): The initial setup
In victim context (- Create a new private repository called
tag-protection-bypass
- Invite
inspector-ambitious
as a member of the project inProject Information > Members
- Go to
Settings > Repository
, expand theProtected tags
and create a new rule
Tag:v*
Allowed to create:Maintainers
So at this stage inspector-ambitious
should not be able to create tags since they are protected.
inspector-ambitious
): The attack
In attacker context (- Create a branch called
v1
containing an empty malicious file (for demonstration)
- Click repository
Tags
links
(there is no tags created yet)
-
Click on
New Tag
-
Set the tag name to
refs/tags/v1
and the Create from tov1
, create the tag
- a 404 appears but the tag is created
- Go back to the repo tags list, the tag now appears as protected !
Please note that clicking the tag does not work because a 404 is thrown, but the download
Source code feature will still work.
What I believe is happening in the background is that since the tag v1 reference cannot be resolved the download of the source code fallback to the content of the branch v1.
Impact
A victim can end up downloading malicious source code.
Output of checks
This bug happens on GitLab.com
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: