Skip to content

Privilege escalation to Owner from a custom role with manage_group_access_tokens permission

Problem

On an instance with a custom role with base role of Guest with a custom permission of manage_group_access_tokens a low-privileged user can escalate themselves to Owner by being able to create an Owner level Group Access Token (GAT), from the UI and the REST API. Steps to reproduce the bug from the UI are mentioned below. For REST API, just make an API call to this endpoint with a user who has a custom role Guest with a custom permission of manage_group_access_tokens.

This is a Medium severity bugvulnerability.

Steps to reproduce

  1. Create an instance level custom role on your self-managed instance with base role as Guest and adding manage_group_access_tokens permission.

image

  1. Assign this role to a member in a group using Rails console
group = Group.find_by_full_path('group-path') 
member = group.members.find_by(user_id: user-id)
member.update(member_role: MemberRole.last)
  1. Custom role is assigned to the group member, Eugene Thompson

image

  1. Login as Eugene Thompson and you will notice that you will be able to create GATs with Owner role

image

  1. Verify that the Owner GAT has been created by making API calls with that GAT

image

curl -H "PRIVATE-TOKEN: Guest GAT" https://gdk.test:3443/api/v4/groups/98/members/all | jq

Proposal

Similar to #433463 (comment 1729696309), a user with a custom role can only create a GAT with an access level that is less than or equal to their own access level, up to a maximum of Maintainer, if there custom role's base role is Maintainer.

We must address this both in the UI and the REST API endpoints. I'm not sure if we have corresponding GraphQL endpoints that are affected by this issue as well? If so, we must address this bug there as well.

/cc @jayswain @jrandazzo

Edited by Rohit Shambhuni