Skip to content

Service account not deleted when namespace is deleted allowing access to internal projects

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2040822 by joaxcar on 2023-06-27, assigned to GitLab Team:

Report | How To Reproduce

Report

Summary

The new service account feature is subject to the same issue as project and group access tokens previously was, that a service account connected to a namespace is not deleted when the namespace is deleted. See a long discussion on the topic here https://hackerone.com/reports/1199561

The problem is that a user who owns a group on an instance can create a service account and if an admin removes the user and all its projects and groups the removed user will still have access to internal projects through the (now "orphant") service account.

As with group and project access tokens these namespace connected service accounts should be deleted if the namespace is deleted.

Steps to reproduce

Use either a group with unlimited trial on gitlab.com or use a self hosted premium server. Also make sure to have an access token generated for the user you are testing with.

  1. Create a new group (or subgroup), take note of the group ID
  2. Run this in a terminal
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/<group id>/service_accounts"
  1. Take a note of the service account ID
  2. Now run this command to create a token for the service account
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/<group id>/service_accounts/<service account id>/personal_access_tokens" --data "scopes[]=api" --data "name=service_accounts_token"
  1. Take a note of the generated access token
  2. Now use the new access token towards the api
curl --header "PRIVATE-TOKEN: <service_access_token>" "https://gitlab.example.com/api/v4/user"

There is a bug telling you that the user need to accept terms and services, it does not matter, you can see that the service account exists.
7. Now go to https://gitlab.com/groups/NameOfGroup/-/edit and scroll down to advanced, expand it a scroll down to "delete group". Delete the group
8. Do the request from step 6 again and see that the user still exist even when the group is gone

This PoC shows that the issue exists. A more involved PoC would include deleting the user and all its groups, and then prove that the service account is still present. I can write up the steps if needed.

Impact

A deleted user can use service accounts as a back door to access internal projects after being removed from the instance. The service accounts will have full read access to internal projects and can also create issues and other integrity affecting actions.

How is it working today

Deleting a namespace does not delete the connected service accounts

How it should work

Deleting a namespace should delete any connected service account

Impact

A deleted user can use service accounts as a back door to access internal projects after being removed from the instance. The service accounts will have full read access to internal projects and can also create issues and other integrity affecting actions.

How To Reproduce

Please add reproducibility information to this section: