Developers can bypass code owners approval on MR
HackerOne report #2251872 by salh4ckr
on 2023-11-14, assigned to @greg:
Report | Attachments | How To Reproduce
Report
Summary
Hello,
After my report #2236642 closed as informative, I did a deep research and i found that the information in #2236642 was incomplete, what i reported their was the result of an issue i'am going to describe in this report, here i am reporting a behaviour which is allowing malicious developer to bypass merge request approval, please follow all steps described all are must.
I found that when there is 2 branch on a project and every branch has it's codeowner, a malicious developer can use approval from 1branch and create conflicts which will allows him/her to bypass approval and update codeowner file on another.
Steps to reproduce
setup:
video:
poc-approval(setup).mp4
As Owner:
- Create a new group and apply the ultimate trial to it.
- Add 2 members with developer permission (DEV1 and DEV2)
- create new branch and name it dev
- Create CODEOWNERS file in main branch and add yourself as codeowner.
* [@]YOUR_USERNAME
- Create CODEOWNERS file in dev branch and add DEV1 as codeowner.
* [@]DEV1
7 .Navigate to Project settings => Repository => Protected branches, and allow Developers + Maintainers to merge to main, and also toggle on Code owner approval.
8.Navigate to Project settings => Repository => Protected branches, and allow Developers + Maintainers to merge to dev_branch, and also toggle on Code owner approval.
9.Navigate to Project settings => Merge requests => Approval settings, check Prevent approval by author, Prevent approvals by users who add commits, and Prevent editing approval rules in merge requests and under When a commit is added and Remove all approvals.
.
ATTACK
video:
poc-approval(attach).mp4
As Dev2.
- Go to project > repository and switch from main to dev.
- Click on readme file and edit. and proceed to create merge request.
As Dev1.
- Approve MR created by DEV2
As Dev2.
- Go to MR and click on edit
- Change base branch to main.
- Then click on resolve conflicts.
- Click on edit inline and add dev2 as codeowner.
- Click merge, and you will successfully update codeowner file and update readme at the same time. and next time you will need no approval
Impact
Malicious Devepoper can bypass codeowner approval
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: