Skip to content

`Prevent project forking outside current group` permission setting bypass

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2019135 by theluci on 2023-06-09, assigned to @ottilia_westerlund:

Report | Attachments | How To Reproduce

Report

Hello,

Background

Gitlab provides a premium/ultimate feature to Prevent project forking outside current group
The permission setting can only be set by the owner of the top-level group and cannot be changed in any of the subgroups.
When permission setting is set new forks outside of the current group cannot be created

pic-fork1.png

And if a member tries to create a new fork outside of the current group via intercepting the request, he is shown the following error,

pic-fork2.png

Vulnerability

The permission setting is not enforced when creating a fork relationship using API.

As a result,

  1. An attacker can create a project outside the current group.
  2. Create a fork relationship between attacker project outside the current group and victim project inside the current group.
  3. Continue to access updated information via syncFork mutation or simply update fork functionality from UI.
  4. Create merge requests from attacker project to victim project.

This vulnerability allows an attacker to create forks outside of the current group bypassing the setting set by the owner.

Steps to reproduce

As victim,

  1. victim creates a group victim-group.
  2. victim creates a project victim-project in victim-group.
  3. victim goes to victim-group settings, https://gitlab.com/groups/<victim-group>/-/edit and Expand Permissions and group features.
  4. victim checks Prevent forking outside of the group and save changes.
  5. victim goes to https://gitlab.com/groups/<victim-group>/-/group_members and adds attacker as reporter in the victim-group.

As attacker,

  1. attacker creates a new project attacker-project in attacker-group
    (Be sure to check the Initialize repository with a README)

pic-fork3.png

  1. attacker goes to command line and creates the fork relationship by writing the following command,
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.com/api/v4/projects/<attacker_project_id>/fork/<victim_project_id>"

Replace the above values accordingly.

  1. attacker deletes the README file.
  2. attacker clicks on Update fork.
  3. attacker refreshes the project.

attacker was able to create the victim-project's fork outside the victim-group and was able to bypass the Prevent forking outside of the group permission set by the victim.

Output of checks

This bug happens on GitLab.com (Probably on instance too).

Impact

Prevent project forking outside current group setting set by the owner can be bypassed by any of the members.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section:

Investigation (by @vyaklushin)

I believe the root cause of this bug is an incorrect permission check in Fork Relationship API.

We verify if users have a permission to fork user's project instead of checking the permission to fork the parent project. That allows attacker to skip this check.

We should update the permission check in API endpoint code. On top of that, let's add a permission check to Projects::ForkService to catch similar problems in future.

Edited by Vasilii Iakliushin