Bypassing approvals of CODEOWNERS

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2296778 by ali_shehab on 2023-12-25, assigned to @ameyadarshan:

Report | Attachments | How To Reproduce

Report

Summary

Hello team, an owner can configure the project to reset all code owners' approvals in an MR if the "protected" files change. However, developers can bypass code owners' approvals and inject unapproved code into the project, by some weird GIT fuzzing.

Steps to reproduce

As an owner:

1. Create a new group, and apply the ultimate trial to it
2. Create a new private project in that group
3. Create a CODEOWNERS file, with the following content

[Code Owners]  
*.yml [@]OWNER_USERNAME  

4. Create a .gitlab-ci.yml file, with the following content

my_job:  
    script:  
        - echo "Hello"  

5. Navigate to https://gitlab.com/GROUP/PROJECT/-/settings/repository, allow developers and maintainers to merge and toggle on code owners approval
6. Navigate to https://gitlab.com/GROUP/PROJECT/-/settings/merge_requests, and enable Remove approvals by Code Owners if their files changed
7. Invite a developer to that group

As the developer:

8. Navigate to the .gitlab-ci.yml file, click edit, don't make any changes, and create an MR, it's an empty MR so no approvals are needed, merge that MR

As the owner:

9. Add any change to the .gitlab-ci.yml file, for example ( direct commit )

my_job:  
    script:  
        - echo "Hello"  
        - echo "This is just another change"  

As the developer:

10. Create a change on the README file, and create an MR with that change

As the owner:

11. Approve that MR, the owner at this point is okay merging this change as it doesn't affect .yml files

As the developer:

12. Clone that project locally git clone ...
13. checkout the MR branch git checkout BRANCH
14. Reset last 2 commits, git reset head~2
15. Add any "evil" code to .gitlab-ci.yml, for example

my_job:  
    script:  
        - echo "Hello"  
        - echo "This is just another change"

my_evil_job:  
    script:  
        - echo "Evil"  

16. Commit amend and push git add . && git commit --amend --no-edit && git push origin BRANCH -f
17. Navigate to the MR's UI, resolve conflicts and "Use Ours"
18. Refresh that page, and verify that you can merge the unapproved .gitlab-ci.yml changes

WhatsApp_Video_2023-12-25_at_5.59.25_PM.mp4

Impact

Developers can bypass code owners' approvals allowing them to:

1. Push code to protected branches.
2. Disclose group/project protected CI/CD variables

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• WhatsApp_Video_2023-12-25_at_5.59.25_PM.mp4

How To Reproduce

Please add reproducibility information to this section: