Bypassing CODEOWNERS approval allowing to steal protected variables
HackerOne report #2295423 by ali_shehab
on 2023-12-22, assigned to GitLab Team
:
Report | Attachments | How To Reproduce
Report
Summary
Hi team hope you are well. There is something weird happening, that allows me to bypass CODEOWNERS approval of a file. This done by creating a branch through a merge requestali
-> main
and approve the mr by the CODEOWNER then deleting ali
branch, creating branch ali2
and add evil code to it, and create mr. Now create ali
from ali2
. Go back to the first mr, reopen and merge you will see that evil code was added although it was not approved.
Steps to reproduce
As an owner:
- Create a new group and apply the ultimate trial to it
- Create a new project in that group
- Create a
CODEOWNERS
file with the following content
[Code Owners]
* [@]OWNER_USERNAME
- Navigate to https://gitlab.com/GROUP/PROJECT/-/settings/repository, and do the following for the
main
branch:- Toggle on code owner approval
- Allow developers and maintainers to merge
- Invite a developer to the group
As the developer:
- Create a new branch, add any change to any file, and create an MR from that branch to
main
- let's call that branchtest-1
As the owner:
- Approve that MR (the owner sees the changes, they're all safe and can be merged)
As the developer:
- Delete
test-1
branch - Create a new branch call it
test-2
, and add "evil" code to the repository, create an MR with that change - Create a new branch called
test-1
fromtest-2
- Navigate back to the MR approved by the owner, and open the mr and merge
- Refresh the page, and verify that you can merge the MR
- Merge that MR, and verify that the second MR (created in step 9) is also merged
- Verify that the merged change is that introduced in the second MR which the owner didn't approve
Screen_Recording_2023-12-22_at_8.56.50___PM.mov
Impact
Able to bypass codeowners approval which can lead to pass and evil code and steal protected enviroment.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: