Bypassing CODEOWNERS approval allowing to steal protected variables
HackerOne report #2295423 by ali_shehab on 2023-12-22, assigned to GitLab Team:
Report | Attachments | How To Reproduce
Report
Summary
Hi team hope you are well. There is something weird happening, that allows me to bypass CODEOWNERS approval of a file. This done by creating a branch through a merge requestali -> main and approve the mr by the CODEOWNER then deleting ali branch, creating branch ali2 and add evil code to it, and create mr. Now create ali from ali2 . Go back to the first mr, reopen and merge you will see that evil code was added although it was not approved.
Steps to reproduce
As an owner:
- Create a new group and apply the ultimate trial to it
- Create a new project in that group
- Create a
CODEOWNERSfile with the following content
[Code Owners]
* [@]OWNER_USERNAME - Navigate to https://gitlab.com/GROUP/PROJECT/-/settings/repository, and do the following for the
mainbranch:- Toggle on code owner approval
- Allow developers and maintainers to merge
- Invite a developer to the group
As the developer:
- Create a new branch, add any change to any file, and create an MR from that branch to
main- let's call that branchtest-1
As the owner:
- Approve that MR (the owner sees the changes, they're all safe and can be merged)
As the developer:
- Delete
test-1branch - Create a new branch call it
test-2, and add "evil" code to the repository, create an MR with that change - Create a new branch called
test-1fromtest-2 - Navigate back to the MR approved by the owner, and open the mr and merge
- Refresh the page, and verify that you can merge the MR
- Merge that MR, and verify that the second MR (created in step 9) is also merged
- Verify that the merged change is that introduced in the second MR which the owner didn't approve
Impact
Able to bypass codeowners approval which can lead to pass and evil code and steal protected enviroment.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: