Direct shared group member can be shared into other projects contrary to documentation
HackerOne report #2044867 by theluci
on 2023-06-30, assigned to @kmorrison1:
Report | Attachments | How To Reproduce
Report
Hello,
Background
Gitlab provides various types of memberships,
For Direct shared or Inherited shared membership, one may use Invite a group option,
In the above example,
-
Direct members of
My-other-group
are Direct shared members ofa-new-group
-
Inherited members of
My-other-group
are Inherited shared members ofa-new-group
Vulnerability
According to docs, Direct shared group members cannot be shared into other projects.
That is, a member that has Direct shared membership in a group should not have access to projects shared with the group.
However, the above is not enforced.
Steps to reproduce
-
attacker
creates a groupattacker-group
and addsvictim
as guest. -
victim
creates a groupvictim-group
. -
victim
goes tohttps://gitlab.com/groups/<victim-group>/-/group_members
, clicks on Invite a group and inviteattacker-group
.
attacker
is now a Direct shared group member of victim-group
.
-
victim
creates a personal projectvictim-project
in his namespace. -
victim
goes tohttps://gitlab.com/<victim-username>/<victim-project>/-/project_members
, clicks on Invite a group and invitevictim-group
.
victim
has shared his personal project victim-project
with the victim-group
.
-
attacker
visitsvictim-project
. -
attacker
continues to be able to accessvictim-project
contrary to documentation, affecting Confidentiality and Integrity of data.
POC
Output of checks
This bug happens on GitLab.com (Probably on instance too).
Impact
Direct shared group member can be shared into other projects (contrary to documentation) and continues having read & write access.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: