Skip to content

Users with the `Guest` role can change `Custom dashboard projects` settings for projects in the victim group

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2316435 by them4les_l1r on 2024-01-15, assigned to @kmorrison1:

Report | Attachments | How To Reproduce

Report

Summary:

Based on this documentation. Users with Guest cannot change group and project settings.

I found a bug where users with the Guest role can change the Analytics Dashboards settings for groups and projects.

Step to Reproduce:

[victim]

  1. To reproduce this bug, you need to create a gitlab account with the Ultimate Saas Plan Trial feature
  2. Go to https://gitlab.com and select Get Free Trial
  3. Complete registration and at the end of the form you are asked to create a group and project.
  4. Invite the attacker as a guest in your project.
  5. Go to your group -> select your project -> in the sidebar select Settings -> Analytics -> expand. You will notice that Custom dashboard projects is not yet setup.
  6. The attacker will set these features.

[Attacker]

  1. Open https://gitlab.com and log in to the attacker's account
  2. Go to the victim's group -> then select victim project
  3. Add /-/settings/analytics to the end of the url and enter
  4. You will be directed to the Custom dashboard projects page.

Screenshot_from_2024-01-15_10-38-12.png

  1. Select the victim project in the combobox and select save changes. The attacker succeeded in changing the Custom dashboard projects setting on the victim project

Affected endpoints:

POST /group-name/project-name/-/settings/analytics HTTP/2  
Host: gitlab.com

_method=patch&authenticity_token={TOKEN}&project%5Banalytics_dashboards_pointer_attributes%5D%5Bid%5D=XXXXXX&project%5Banalytics_dashboards_pointer_attributes%5D%5Btarget_project_id%5D={PROJECT ID}
POC VIDEO:

Attacker_as_guest_can_set_Custom_Analytics_Dashboard.mp4

Impact

Users with the Guest role who do not have access to group and project settings can change Custom dashboard projects settings for projects in the victim group

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: