Bypass CODEOWNERS approval removal
HackerOne report #2115574 by ali_shehab
on 2023-08-18, assigned to @greg:
Report | Attachments | How To Reproduce
Report
Summary
Hi team hope you are well. There is something weird happening, that allows me to bypass CODEOWNERS approval of a file. This is done by creating a mr from branch: test to main, the owner approves. Now you add another mr from test2 to test and merge it. So new code is added to the test however the approval is not removed. Although in the merge request rule, I said to reset approves if new code is added.
Steps to reproduce
- Create a group named: CodeOwners and a project named: test with README.md file.
- Start the free trail for CodeOwners group
- Invite a developer to the CodeOwners group, for example his username is: userA.
- Now go to project test and add this file with name:
CODEOWNERS
and content:README.md [@]userA
- Now the owner of the README.md is userA.
- Go to project settings => protected branch => main add turn on codeowners approval and turn off push and merge.
- Go to project settings => merge request and add those settings:
- Now from your account not userA try to edit the README.md and open a Mr with branch name: test.
- userA now approves the code.
- Now from your account go to branch test and edit the README.md and open mr with branch name: test2 and base test.
- Merge test2 with the test, so new code is added to the first Mr.
- Now go to the first MR it is still approved however new code was added and you can merge it.
The video sorry it will be long but i will cover everything:
bandicam_2023-08-18_13-57-01-962.mp4
Impact
Bypass code owners approval for example, you can pass a safe file in the .gitlab-ci.yaml and when the owner approves it you can add a malicious code that allows you to read all protected variables and allows him to push without requiring to be approved by the codeowner.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: