Maintainer can create a fork relationship between existing projects contrary to documentation
HackerOne report #2058121 by theluci
on 2023-07-08, assigned to @kmorrison1:
Report | Attachments | How To Reproduce
Report
Hello,
Background
Gitlab provides a feature to create a fork of a project.
When you create a fork of a project using UI, you become the owner of the forked project or downstream project. That is, only the owner of a project can create the fork relationship between the downstream project and upstream project.
Similarly, only the owner of a project can Remove fork relationship.
When using API as well, according to the docs, only the project owners and administrators can Create a fork relationship between existing projects as well as Delete an existing fork relationship.
Vulnerability
According to docs, only the project owners and administrators can Create a fork relationship between existing projects.
However, the above is not enforced and a Maintainer can create a fork relationship between existing projects.
This behaviour is contradictory to what happens when using UI as well as contradictory to what should happen according to docs.
Steps to reproduce
-
victim
creates a groupvictim-group
and a projectvictim-project
inside. -
victim
goes tovictim-project
membership page,https://gitlab.com/<victim-group>/<victim-project>/-/project_members
and addsattacker
as maintainer. -
attacker
creates a personal projectattacker-project
. -
attacker
goes to his terminal and runs the following command,
curl --request POST --header "PRIVATE-TOKEN: <access_token>" "https://gitlab.com/api/v4/projects/<victim_project_ID>/fork/<attacker_project_ID>"
attacker
was able to create a fork relationship between victim-project
and attacker-project
contrary to documentation. (victim-project
as the downstream project and attacker-project
as the upstream project)
Please note that above attacker
created a fork relationship between victim-project
and attacker-project
. However, it isn’t necessary, attacker
can create a fork relationship between victim-project
and any project attacker
has access to, including public projects.
POC
Output of checks
This bug happens on GitLab.com (Probably on instance too).
Impact
Maintainer can create a fork relationship between existing projects contrary to documentation
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: