Developers can bypass code owners approval on MR

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2251872 by salh4ckr on 2023-11-14, assigned to @greg:

Report | Attachments | How To Reproduce

Report

Summary

Hello,
After my report #2236642 closed as informative, I did a deep research and i found that the information in #2236642 was incomplete, what i reported their was the result of an issue i'am going to describe in this report, here i am reporting a behaviour which is allowing malicious developer to bypass merge request approval, please follow all steps described all are must.

I found that when there is 2 branch on a project and every branch has it's codeowner, a malicious developer can use approval from 1branch and create conflicts which will allows him/her to bypass approval and update codeowner file on another.

Steps to reproduce

setup:

video:
poc-approval(setup).mp4

As Owner:

1. Create a new group and apply the ultimate trial to it.
2. Add 2 members with developer permission (DEV1 and DEV2)
3. create new branch and name it dev
4. Create CODEOWNERS file in main branch and add yourself as codeowner.

* [@]YOUR_USERNAME

5. Create CODEOWNERS file in dev branch and add DEV1 as codeowner.

* [@]DEV1

7 .Navigate to Project settings => Repository => Protected branches, and allow Developers + Maintainers to merge to main, and also toggle on Code owner approval.
8.Navigate to Project settings => Repository => Protected branches, and allow Developers + Maintainers to merge to dev_branch, and also toggle on Code owner approval.

9.Navigate to Project settings => Merge requests => Approval settings, check Prevent approval by author, Prevent approvals by users who add commits, and Prevent editing approval rules in merge requests and under When a commit is added and Remove all approvals.
.

ATTACK

video:
poc-approval(attach).mp4

As Dev2.

10. Go to project > repository and switch from main to dev.
11. Click on readme file and edit. and proceed to create merge request.

As Dev1.

12. Approve MR created by DEV2

As Dev2.

13. Go to MR and click on edit
14. Change base branch to main.
15. Then click on resolve conflicts.
16. Click on edit inline and add dev2 as codeowner.
17. Click merge, and you will successfully update codeowner file and update readme at the same time. and next time you will need no approval

Impact

Malicious Devepoper can bypass codeowner approval

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• prt.png
• appr.png
• poc-approval(setup).mp4
• poc-approval(attach).mp4

How To Reproduce

Please add reproducibility information to this section: