Bypassing approvals of CODEOWNERS
HackerOne report #2296778 by ali_shehab
on 2023-12-25, assigned to @ameyadarshan:
Report | Attachments | How To Reproduce
Report
Summary
Hello team, an owner can configure the project to reset all code owners' approvals in an MR if the "protected" files change. However, developers can bypass code owners' approvals and inject unapproved code into the project, by some weird GIT fuzzing.
Steps to reproduce
As an owner:
- Create a new group, and apply the ultimate trial to it
- Create a new private project in that group
- Create a
CODEOWNERS
file, with the following content
[Code Owners]
*.yml [@]OWNER_USERNAME
- Create a
.gitlab-ci.yml
file, with the following content
my_job:
script:
- echo "Hello"
- Navigate to https://gitlab.com/GROUP/PROJECT/-/settings/repository, allow developers and maintainers to merge and toggle on code owners approval
- Navigate to https://gitlab.com/GROUP/PROJECT/-/settings/merge_requests, and enable
Remove approvals by Code Owners if their files changed
- Invite a developer to that group
As the developer:
- Navigate to the
.gitlab-ci.yml
file, click edit, don't make any changes, and create an MR, it's an empty MR so no approvals are needed, merge that MR
As the owner:
- Add any change to the
.gitlab-ci.yml
file, for example ( direct commit )
my_job:
script:
- echo "Hello"
- echo "This is just another change"
As the developer:
- Create a change on the README file, and create an MR with that change
As the owner:
- Approve that MR, the owner at this point is okay merging this change as it doesn't affect
.yml
files
As the developer:
- Clone that project locally
git clone ...
- checkout the MR branch
git checkout BRANCH
- Reset last 2 commits,
git reset head~2
- Add any "evil" code to
.gitlab-ci.yml
, for example
my_job:
script:
- echo "Hello"
- echo "This is just another change"
my_evil_job:
script:
- echo "Evil"
- Commit amend and push
git add . && git commit --amend --no-edit && git push origin BRANCH -f
- Navigate to the MR's UI, resolve conflicts and "Use Ours"
- Refresh that page, and verify that you can merge the unapproved
.gitlab-ci.yml
changes
WhatsApp_Video_2023-12-25_at_5.59.25_PM.mp4
Impact
Developers can bypass code owners' approvals allowing them to:
- Push code to protected branches.
- Disclose group/project protected CI/CD variables
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: