Developers can bypass code owners approval by changing a MR's base branch

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2236642 by salh4ckr on 2023-11-02, assigned to @kmorrison1:

Report | Attachments | How To Reproduce

Report

Summary

Hello team,

I found this issue after while trying to find a bypass of #422142 (closed), and i found another way to bypass code owner approval by changing a MR's branch.

  • I can use approval from X branch to push in Y protected branch.
Steps to reproduce

As Owner:

  1. Create a new group and apply the ultimate trial to it.
  2. Create a new project in that group.
  3. Add a developer member.
  4. Create new branch:dev_branch.
  5. Create CODEOWNERS file in main branch
 [Code Owners]    
* [@]YOUR_USERNAME
  1. Create Create CODEOWNERS file in dev_branch
 [Code Owners]    
* [@]YOUR_USERNAME

7 .Navigate to Project settings => Repository => Protected branches, and allow Developers + Maintainers to merge to main, and also toggle on Code owner approval.
8.Navigate to Project settings => Repository => Protected branches, and allow Developers + Maintainers to merge to dev_branch, and also toggle on Code owner approval.
prtectd.png
9.Navigate to Project settings => Merge requests => Approval settings, check Prevent approval by author, Prevent approvals by users who add commits, and Prevent editing approval rules in merge requests and under When a commit is added: select Remove all approvals.
appvl.png.

As Developer:

  1. Go to project > repository and switch from main to dev_branch
    switch.png

  2. Edit or add a file and add in content you want to be in main.

  3. Create marge_request.

AS Owner:

  1. Approve merge merge request created by a developer.

As Developer:

  1. On merge request click edit then Change the base branch of the MR to main, and verify that the approval persists

  2. Now click merge.

  3. Go to project repository you will see you changes in main branch. 

What is the current bug behavior?

Changing the base branch of a MR persists code owners' approvals.

What is the expected correct behavior?

Changing the base branch of a MR should remove code owners' approvals.

Impact

Ability to push in protected branch using approval from different branch

Video:
POC_Approvals.mp4

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: