Maintainer can create a fork relationship between existing projects contrary to documentation

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2058121 by theluci on 2023-07-08, assigned to @kmorrison1:

Report | Attachments | How To Reproduce

Report

Hello,

Background

Gitlab provides a feature to create a fork of a project.
When you create a fork of a project using UI, you become the owner of the forked project or downstream project. That is, only the owner of a project can create the fork relationship between the downstream project and upstream project.
Similarly, only the owner of a project can Remove fork relationship.

When using API as well, according to the docs, only the project owners and administrators can Create a fork relationship between existing projects as well as Delete an existing fork relationship.

Vulnerability

According to docs, only the project owners and administrators can Create a fork relationship between existing projects.

However, the above is not enforced and a Maintainer can create a fork relationship between existing projects.
This behaviour is contradictory to what happens when using UI as well as contradictory to what should happen according to docs.

Steps to reproduce

1. victim creates a group victim-group and a project victim-project inside.
2. victim goes to victim-project membership page, https://gitlab.com/<victim-group>/<victim-project>/-/project_members and adds attacker as maintainer.
3. attacker creates a personal project attacker-project.
4. attacker goes to his terminal and runs the following command,

curl --request POST --header "PRIVATE-TOKEN: <access_token>" "https://gitlab.com/api/v4/projects/<victim_project_ID>/fork/<attacker_project_ID>"  

attacker was able to create a fork relationship between victim-project and attacker-project contrary to documentation. (victim-project as the downstream project and attacker-project as the upstream project)

Please note that above attacker created a fork relationship between victim-project and attacker-project. However, it isn’t necessary, attacker can create a fork relationship between victim-project and any project attacker has access to, including public projects.

POC

8july-video2.mp4

Output of checks

This bug happens on GitLab.com (Probably on instance too).

Impact

Maintainer can create a fork relationship between existing projects contrary to documentation

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• 7july-5.png
• 7july-6.png
• 8july-video2.mp4

How To Reproduce

Please add reproducibility information to this section: