Privilege escalation to Owner from a custom role with manage_group_access_tokens permission
Problem
On an instance with a custom role with base role of Guest
with a custom permission of manage_group_access_tokens
a low-privileged user can escalate themselves to Owner
by being able to create an Owner
level Group Access Token (GAT), from the UI and the REST API. Steps to reproduce the bug from the UI are mentioned below. For REST API, just make an API call to this endpoint with a user who has a custom role Guest
with a custom permission of manage_group_access_tokens
.
This is a Medium severity bugvulnerability.
Steps to reproduce
- Create an instance level custom role on your self-managed instance with base role as
Guest
and addingmanage_group_access_tokens
permission.
- Assign this role to a member in a group using Rails console
group = Group.find_by_full_path('group-path')
member = group.members.find_by(user_id: user-id)
member.update(member_role: MemberRole.last)
- Custom role is assigned to the group member,
Eugene Thompson
- Login as
Eugene Thompson
and you will notice that you will be able to create GATs withOwner
role
- Verify that the Owner GAT has been created by making API calls with that GAT
curl -H "PRIVATE-TOKEN: Guest GAT" https://gdk.test:3443/api/v4/groups/98/members/all | jq
Proposal
Similar to #433463 (comment 1729696309), a user with a custom role can only create a GAT with an access level that is less than or equal to their own access level, up to a maximum of Maintainer
, if there custom role's base role is Maintainer
.
We must address this both in the UI and the REST API endpoints. I'm not sure if we have corresponding GraphQL endpoints that are affected by this issue as well? If so, we must address this bug there as well.
/cc @jayswain @jrandazzo